Written by Tech Notes
Category: SSH
Published: 02 May 2014
SSH   Root Login   Disable   Enable   Allow   Disallow   PermitRootLogin   sshd   sshd_config   DenyUsers   DenyGroups   nossh  

Enable (Allow) Or Disable Root Login For SSH On Linux

The Switch that controls allowing root login via SSH (specifically OpenSSH) is PermitRootLogin within the sshd_config file typically located at /etc/ssh in a Linux distribution like Fedora or Centos, RedHat, and many others.

To Change the behavior for either allowing or disallowing (disabling) root login do the following.


  1. Edit the /etc/ssh/sshd_config
    You can use any text editor.  Here is usage via the editor VIM (VI): vi /etc/ssh/sshd_config

  2. Locate the PermitRootLogin line within the sshd_config file.

  3. Set On or Off switch to Allow or Disallow root login respectively.
    1. To disable (disallow) root login:
      PermitRootLogin no

      To enable (allow) root login:
      PermitRootLogin yes

    2. Also do this for when you are disabling root login totally (meaning not allowing ssh for root).
      Edit or Add the these lines with the sshd_config file to include root.
      DenyUsers root
      DenyGroups root

      If you got a group called nossh, then you can make it be this for the DenyGroups line:
      DenyGroups root nossh

      If you have the above DenUsers and DenyGroups lines in your sshd_config file, then login via root username should still get denied even if you set "PermitRootLogin yes".

  4. Save your Changes.  In VIM (VI), this is done by entering :wq

  5. Restart SSH
    /etc/rc.d/init.d/sshd restart


    /etc/init.d/sshd restart


    service sshd restart


I have not mentioned usage of AllowUsers and AllowGroups, because in this case we are allowing other users SSH login while blocking those listed by the DenyUsers and DenyGroups, and by disabling root login via PermitRootLogin no.  

If AllowUsers and/or AllowGroups is used then as indicated by documentation, login is allowed only for user names that match one of the patterns, which suggests that all other usernames login attempts would be rejected.  So, that is another way of doing it if you want to narrow ssh access to only a limited quantity of users or a specific user group.


Feel Free To Leave A Good Comment. :)

Look around this site and it's menus, and you may find other useful articles.