Prohibit SSH root login on Debian

If you want to prohibit the direct SSH root login on Debian, you will need at least one additional user to the root user, who is authorized to log in to the server. With this user, you can switch to the root account.

ATTENTION: If you did not create any other users, you will log yourself out of the system!

PermitRootLogin no

Edit the /etc/ssh/sshd_config file and set

PermitRootLogin yes

on

PermitRootLogin no

After this, restart the SSH service

/etc/init.d/ssh restart (alternatively: service ssh restart)

Now, the root user is not allowed to log into the system directly. You have to log in as usual with a user account and then switch with

su

to the root account.

AllowGroups

You can also use the AllowGroups parameter to restrict which users are allowed to log in via SSH.

Excerpt from the man sshd_config:

AllowGroups

This keyword can be followed by a list of group name patterns, separated by spaces. If specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns. Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.

To create a group named sshusers and add a user to that group, execute the following commands as the root user:

addgroup --system sshusers
adduser xyz sshusers

After this, configure the following options in /etc/ssh/sshd_config:

LoginGraceTime 30
AllowGroups sshusers
PermitRootLogin no
StrictModes yes

Then restart the SSH service

/etc/init.d/ssh restart

Further securing of the SSH server

More information on securing a SSH server can be found in the following articles:

• Securing SSH Login on Debian with fail2ban
• SSH Key Login

Translator: Alina Ranzinger Alina has been working at Thomas-Krenn.AG since 2024. After her training as multilingual business assistant, she got her job as assistant of the Product Management and is responsible for the translation of texts and for the organisation of the department.