How to restrict direct logins as root and disable password-based authentication for SSH

Configure the OpenSSH Server

OpenSSH service is provided by a daemon called sshd. Its main configuration file is /etc/ssh/sshd_config. The default configuration of the OpenSSH server works well. However, you might want to make some changes to strengthen the security of your system. There are two common changes you might want to make. You might want to prohibit direct remote login to the root account, and you might want to prohibit password-based authentication (in favor of SSH private key authentication).

Prohibit the SuperUser from logging in using ssh

It is a good practice to prohibit direct login to the root user account from remote systems. Some of the risks of allowing direct login as root include:

  • The user name root exists on every Linux system by default, so a potential attacker only has to guess the password, instead of a valid user name and password combination. This reduces complexity for an attacker.
  • The root user has unrestricted privileges, so its compromise can lead to maximum damage to the system.
  • From an auditing perspective, it can be hard to track which authorized user logged in as root and made changes. If users have to log in as a regular user and switch to the root account, this generates a log event that can be used to help provide accountability.

The OpenSSH server uses the PermitRootLogin configuration setting in the /etc/ssh/sshd_config configuration file to allow or prohibit users logging in to the system as root.

PermitRootLogin yes

With the PermitRootLogin parameter to yes, as it is by default, people are permitted to log in as root. To prevent this, set the value to no. Alternatively, to prevent password-based authentication but allow private key-based authentication for root, set the PermitRootLogin parameter to without-password. The SSH server (sshd) must be reloaded for any changes to take effect.

[root@host ~]# systemctl reload sshd

Prohibiting password-based authentication for ssh

Allowing only private key-based logins to the remote command line has various advantages:

  • Attackers cannot use password guessing attacks to remotely break into known accounts on the system.
  • With passphrase-protected private keys, an attacker needs both the passphrase and a copy of the private key. With passwords, an attacker just needs the password.
  • By using passphrase-protected private keys in conjunction with ssh-agent, the passphrase is exposed less frequently

The OpenSSH server uses the PasswordAuthentication parameter in the /etc/ssh/sshd_config configuration file to control whether users can use password-based authentication to log in to the system.

PasswordAuthentication yes

The default value of yes for the PasswordAuthentication parameter in the /etc/ssh/sshd_config configuration file causes the SSH server to allow users to use password-based authentication while logging in. The value of no for PasswordAuthentication prevents users from using password-based authentication. Keep in mind that whenever you change the /etc/ssh/sshd_config file, you must reload the sshd service for changes to take effect.

[root@host ~]# systemctl reload sshd