Disable the root access and permit it via su user In Linux
Everybody knows that the IT industries are become very famous and providing end-to-end support for most of the client.
In the IT evolution, there are lots of new technologies had implemented and got many successes. It has been adopted by most of the industries.
But the same time there are lots of regression in the security part. Yes, It’s there always but we have to protest against.
In Linux system, we need to enable/disable some of the features to prevent this kind of attempts.
By default the root user access is an enabled in the system. If the system is accessible via internet then it’s not good idea to keep the access.
This is one of the parameter among them. So, i advise you to disable the direct root access and permit it via su user for security reason.
It can be done in the below three ways.
- Disable PermitRootLogin in the /etc/ssh/sshd_config file.
- Add the root user in DenyUsers list on etc/ssh/sshd_config file.
- Deny the root user via /etc/ssh/sshd.deny file.
Step-1: How To Create A New User In Linux?
If you would like to use an existing user then you can ignore this step. Run the following command to create a new user with password in the single command in Linux.
$ useradd -p $(openssl passwd -1 ladmin@123) ladmin
Step-2: How To Add A User Into Elevated Group In Linux?
Make a note, add a user into wheel group for RHEL based systems such as RedHat, CentOS and OEL.
For Debian based systems such as Debian, Ubuntu and LinuxMint add a user into sudo or admin group.
# usermod -G wheel ladmin # usermod -G sudo ladmin
We can double confirm this by running the following command.
# getent group wheel wheel:x:10:ladmin # getent group sudo sudo:x:27:ladmin
Step-3: How To Disable Direct root Login In Linux?
As i told in the beginning of the article. It can be done in three ways and you can choose the one which is suitable for you.
Step-3a: Disable PermitRootLogin In The /etc/ssh/sshd_config File
I preferred to go with this method. As it’s very simple. To do so, just run the following command.
# sed -i 's/#PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config
You can double check this by running the following command.
# cat /etc/ssh/sshd_config | grep PermitRootLogin PermitRootLogin no
That’s it. Just bounce the ssh service and see the magic.
# systemctl restart sshd # service restart sshd
Simple open a new terminal or session and try to access the Linux system with root. Yes, the root user isn’t allowed for login and will be getting an error message as shown below.
# ssh [email protected] [email protected]'s password: Permission denied, please try again.
Output:
Mar 18 18:15:16 CentOS7 unix_chkpwd[8319]: password check failed for user (root) Mar 18 18:15:16 CentOS7 sshd[8317]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.3 user=root Mar 18 18:15:16 CentOS7 sshd[8317]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" Mar 18 18:15:18 CentOS7 sshd[8317]: Failed password for root from 192.168.1.3 port 55100 ssh2
Step-3b: Add The root User In DenyUsers List On etc/ssh/sshd_config File
Even this method also very simple. To do so, just append the following value into /etc/ssh/sshd_config file.
# echo "DenyUsers root" >> /etc/ssh/sshd_config
You can double check this by running the following command.
# cat /etc/ssh/sshd_config | grep -i denyusers DenyUsers root
That’s it. Just bounce the ssh service and see the magic.
# systemctl restart sshd # service restart sshd
Simple open a new terminal or session and try to access the Linux system with root. Yes, the root user isn’t allowed for login and will be getting an error message as shown below.
# ssh [email protected] [email protected]'s password: Permission denied, please try again.
Output:
Mar 18 18:09:42 CentOS7 sshd[8228]: User root from 192.168.1.3 not allowed because listed in DenyUsers Mar 18 18:09:42 CentOS7 sshd[8228]: input_userauth_request: invalid user root [preauth] Mar 18 18:09:53 CentOS7 unix_chkpwd[8230]: password check failed for user (root) Mar 18 18:09:53 CentOS7 sshd[8228]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.3 user=root Mar 18 18:09:53 CentOS7 sshd[8228]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" Mar 18 18:09:55 CentOS7 sshd[8228]: Failed password for invalid user root from 192.168.1.3 port 55094 ssh2
Step-3c: Deny The root User Via /etc/ssh/sshd.deny File
Last but not least. However, this is also very simple. To do so, just append the root user into /etc/ssh/sshd.deny file.
# echo "root" >> /etc/ssh/sshd.deny
You can double check this by running the following command.
# cat /etc/ssh/sshd.deny | grep root root
Replace the auth required line with the following value in the /etc/pam.d/sshd.
# vi /etc/pam.d/sshd auth required pam_listfile.so item=user sense=deny file=/etc/ssh/sshd.deny onerr=succeed
That’s it. Just bounce the ssh service and see the magic.
# systemctl restart sshd # service restart sshd
Simple open a new terminal or session and try to access the Linux system with root. Yes, the root user isn’t allowed for login and will be getting an error message as shown below.
# ssh [email protected] [email protected]'s password: Permission denied, please try again.
Output:
Mar 19 02:50:37 CentOS7 sshd[4739]: pam_listfile(sshd:auth): Refused user root for service sshd Mar 19 02:50:38 CentOS7 sshd[4739]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" Mar 19 02:50:40 CentOS7 sshd[4739]: Failed password for root from 192.168.1.3 port 38326 ssh2
Step-4: Login Via su User And See The Magic
Simple open a new terminal or session and login with a su User. From there try to access the Linux system with root and see the magic.
# ssh [email protected] [email protected]'s password: Last login: Tue Mar 19 02:37:44 2019 from 192.168.1.6 $ sudo -i or $ sudo -s or $ su - [sudo] password for ladmin: [root@CentOS7 ~]#
One Comment on “Disable SSH root Login And Permit The root User Via su User In Linux”