How to Disable Root SSH Login on Linux for Better Security

Why disabling root SSH login matters

Most Linux distributions ship with the SSH daemon configured to allow direct login as the root user. Because the root account has unrestricted privileges, a successful brute‑force or credential‑theft attack immediately gives an attacker full control of the system. Disabling root SSH access forces attackers to first compromise a regular account, which can be monitored, limited, or protected with multi‑factor authentication.

Procedure to block root SSH access

Open the SSH daemon configuration file with a text editor that has root privileges, for example: vi /etc/ssh/sshd_config Find the line that controls root login. It may be commented out: #PermitRootLogin no Remove the leading # (or change the value) so that the line reads: PermitRootLogin no If the line does not exist, add it at the end of the file.

Save the file and restart the SSH service to apply the change. The command depends on the init system:

# systemctl restart sshd        # systemd based systems
# service ssh restart           # SysV init
# /etc/init.d/sshd restart      # legacy

Verify that root login is disabled

Attempt to open an SSH session as root. The server should reject the authentication:

ssh root@host
login as: root
Access denied
root@host’s password:

Using a regular account and su to obtain root privileges

Log in with a non‑privileged user (e.g., tecmint) and, when administrative tasks are required, switch to the root account with: su - You will be prompted for the root password; after successful authentication the prompt changes to #, indicating a root shell.

Re‑enabling root SSH login (if needed)

To restore direct root access, edit /etc/ssh/sshd_config again and either comment the line: #PermitRootLogin no or set it to yes: PermitRootLogin yes Then restart the SSH daemon as described above.

Restricting SSH access to specific users

If the environment contains many accounts and you want to allow SSH only for a subset, add an AllowUsers directive at the end of /etc/ssh/sshd_config: AllowUsers tecmint sheena Only the listed usernames will be permitted to authenticate via SSH; all others will be denied. Restart the SSH service after modifying the file.