Learn how to disable direct root login to Linux and HPUX servers by altering parameters in SSH configuration files. Its one of the hardening step.
Many of the production / live environments has their server hardened. Once of the server hardening step is to disable direct root login to servers i.e. user can not login to server using root account. User need to login with normal account and then switch to root privilege account. This enables easy tracking when and who used superuser privilege. This adds extra layer of security to system prohibiting hackers trying to login with superuser privilege.
By editing SSH configuration file sshd_config we can disable direct root login. SSH configuration file in Linux located at /etc/ssh/sshd_config whereas in HPUX its at /opt/ssh/etc/sshd_config.
In above mentioned config files you need to check PermitRootLogin parameter :
1 2 3 4 5 6 7 8 | # Authentication: #LoginGraceTime 2m #PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 |
1 2 3 | PermitRootLogin no |
After hashing out entry you need to bounce SSH daemon sshd to read this new configuration by daemon.
1 2 3 4 5 6 7 | # service sshd restart OR # systemctl restart sshd |
But restarting sshd will terminate all user’s sessions currently active on server. To avoid this we need to kill it with HUP . HUP option restart sshd without disturbing existing sessions.
1 2 3 4 5 6 7 8 9 | # ps -ef |grep -i sshd root 25993 1 0 Apr 29 ? 15:28 /opt/ssh/sbin/sshd # kill -HUP 25993 # ps -ef |grep -i sshd root 29760 1 0 10:43:58 ? 0:00 /opt/ssh/sbin/sshd |
You can see new sshd has been spawned when we kill it by HUP signal. And your current logged in users wont observe any disconnections. Now, open new session and try to login with superuser account. It will fail!
Got any feedback? Comment here!