• Home
  • Disclaimer
  • Contact
  • Archives
  • About
  • Subscribe
  • Support
  • Advertise

Kernel Talks

Unix, Linux, & Cloud!

  • How-to guides
    • Howto
    • Disk management
    • Configurations
  • OS
    • HPUX
    • Linux
  • Commands & tools
    • Commands
    • Software & Tools
    • System services
  • Cloud computing
    • AWS CSA preparation guide!
    • Cloud Services
  • Tips & Tricks
  • Linux commands
You are here: Home / Howto

How to disable direct root login on Linux & HPUX

Published: February 8, 2017 | Modified: October 30, 2017 | 1,474 views




How to disable direct root loginLearn how to disable direct root login to Linux and HPUX servers by altering parameters in SSH configuration files. Its one of the hardening step.

 


Many of the production / live environments has their server hardened. Once of the server hardening step is to disable direct root login to servers i.e. user can not login to server using root account. User need to login with normal account and then switch to root privilege account. This enables easy tracking when and who used superuser privilege. This adds extra layer of security to system prohibiting hackers trying to login with superuser privilege.

By editing SSH configuration file sshd_config we can disable direct root login. SSH configuration file in Linux located at /etc/ssh/sshd_config whereas in HPUX its at /opt/ssh/etc/sshd_config.

In above mentioned config files you need to check PermitRootLogin parameter :

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6

This parameter defines if direct root access is permitted or not. By default its value is set to yes. This means direct root login is allowed on server. You need to hash out this entry by adding symbol # at the beginning as shown in above example. Once its hashed then SSH daemon ignores this value. Means it wont allow root login on server. This includes all accounts with root privileges i.e. with UID 0. You can even change value to no without hashing entry out and it will still works.

PermitRootLogin no

After hashing out entry you need to bounce SSH daemon sshd to read this new configuration by daemon.

# service sshd restart

OR

# systemctl restart sshd

But restarting sshd will terminate all user’s sessions currently active on server. To avoid this we need to kill it with HUP . HUP option restart sshd without disturbing existing sessions.

# ps -ef |grep -i sshd
    root 25993     1  0  Apr 29  ?        15:28 /opt/ssh/sbin/sshd

# kill -HUP 25993

#  ps -ef |grep -i sshd
    root 29760     1  0 10:43:58 ?         0:00 /opt/ssh/sbin/sshd

You can see new sshd has been spawned when we kill it by HUP signal. And your current logged in users wont observe any disconnections. Now, open new session and try to login with superuser account. It will fail!


 

⇠ Previous article
6 ways to check Linux kernel version
Next article ⇢
Learn Linux Unix: File permissions & ownership

Related stuff:

  • How to remount filesystem in the read-write mode under Linux
  • How to safely remove disk from LVM
  • How to remove password expiry in HPUX HP Unix
  • How to list YUM repositories in RHEL / CentOS
  • How to find the process using high memory in Linux
  • How to install sar in SUSE Linux
  • How to forward SSH key in Putty
  • How to convert JKS file to KEY file for Apache
  • How to configure nameserver in Linux
  • How to save top command output in file
  • How to remove product channels in Suse Manager
  • How to get directory size in Linux

Filed Under: Howto Tagged With: how to disable root login, how to restart sshd, hup sshd, root login disable, ssh configuration file, sshd configuration file

If you like my tutorials and if they helped you in any way, then

  • Consider buying me a cup of coffee via paypal!
  • Subscribe to our newsletter here!
  • Like KernelTalks Facebook page.
  • Follow us on Twitter.
  • Add our RSS feed to your feed reader.

Share Your Comments & Feedback: Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Get fresh content from KernelTalks

  • Email
  • Facebook
  • RSS
  • Twitter

Popular posts

  • How to start, stop & restart MariaDB server in Linux
  • How to rescan disk in Linux after extending VMware disk
  • How to reset iptables to the default settings
  • 4 ways to check the size of physical memory (RAM) in Linux
  • How to list YUM repositories in RHEL / CentOS
  • mount.nfs: requested NFS version or transport protocol is not supported
  • How to configure login banners in Linux (RedHat, Ubuntu, CentOS, Fedora)
  • How to remount filesystem in the read-write mode under Linux
  • MobaXterm X11 proxy: Authorisation not recognised
  • What are the huge pages in Linux?

Get Linux & Unix stuff right into your mailbox. Subscribe now!

* indicates required

This work is licensed under a CC-BY-NC license · Privacy Policy
© Copyright 2016-2020 KernelTalks · All Rights Reserved.
The content is copyrighted to Shrikant Lavhate & can not be reproduced either online or offline without prior permission.