Learn how to disable direct root login to Linux and HPUX servers by altering parameters in SSH configuration files. Its one of the hardening step.
Many of the production / live environments has their server hardened. Once of the server hardening step is to disable direct root login to servers i.e. user can not login to server using root account. User need to login with normal account and then switch to root privilege account. This enables easy tracking when and who used superuser privilege. This adds extra layer of security to system prohibiting hackers trying to login with superuser privilege.
By editing SSH configuration file
sshd_config we can disable direct root login. SSH configuration file in Linux located at
/etc/ssh/sshd_config whereas in HPUX its at
In above mentioned config files you need to check PermitRootLogin parameter :
# Authentication: #LoginGraceTime 2m #PermitRootLogin yes #StrictModes yes #MaxAuthTries 6
This parameter defines if direct root access is permitted or not. By default its value is set to
yes. This means direct root login is allowed on server. You need to hash out this entry by adding symbol
# at the beginning as shown in above example. Once its hashed then SSH daemon ignores this value. Means it wont allow root login on server. This includes all accounts with root privileges i.e. with UID 0. You can even change value to
no without hashing entry out and it will still works.
After hashing out entry you need to bounce SSH daemon sshd to read this new configuration by daemon.
# service sshd restart OR # systemctl restart sshd
But restarting sshd will terminate all user’s sessions currently active on server. To avoid this we need to kill it with HUP . HUP option restart sshd without disturbing existing sessions.
# ps -ef |grep -i sshd root 25993 1 0 Apr 29 ? 15:28 /opt/ssh/sbin/sshd # kill -HUP 25993 # ps -ef |grep -i sshd root 29760 1 0 10:43:58 ? 0:00 /opt/ssh/sbin/sshd
You can see new sshd has been spawned when we kill it by HUP signal. And your current logged in users wont observe any disconnections. Now, open new session and try to login with superuser account. It will fail!