Before we see why to disable direct root login, we will see why.
Why do we need to disable direct root login
There are many benefits of disabling direct SSH access to the server. But the primary one should be security.
- Security: When you disable direct root login, hackers will have to first guess the user-name and then it’s password. After that they will have to guess root user password. This adds extra layer of the security.
- Login and Audit: When you force all the administrators to use their own account, it’s easy to record their actions. And in case when some of the admins decide to leave or their account is compromised you can easily disable their account. So even if they know the root password they won’t able to login without their own account.
Why to delay the actions when you are getting enhanced security
To disable Direct root Login, you need to follow the steps below.
1. Since you don’t have the other administrator at this moment, you will have login to the server using root account and add the code below in the file /etc/ssh/sshd_config.
Note: In some case you will already find this line commented, so you will just need to remove the comment.
PermitRootLogin no
2. Create a new for example bob and set a password to that user.
3. Open file /etc/group and add the user to the Wheel group. So the Wheel group in that file would look like this.
# cat /etc/group | grep -i wheel wheel:x:10:bob
4. Finally restart sshd service.
# systemctl restart sshd
5. Please make sure that permissions to below are set correctly.
# chmod 4755 /bin/su # chmod 1700 /etc/passwd # chmod 1700 /etc/shadow # chmod 1755 /etc/groups
The golden rule says that you should always check by logging into the server using a different session before you disconnect the current one.