Disable root login over SSH
/etc/ssh/sshd_configPermitRootLogin noThen reload the daemon. The service name differs by distribution:
sudo systemctl reload ssh # Debian, Ubuntusudo systemctl reload sshd # RHEL, Rocky, Alma, FedoraWhy it matters
Section titled “Why it matters”Root exists on every Linux host and its name never has to be guessed, so it absorbs the large majority of automated SSH brute-force traffic. Every other account requires an attacker to learn a username first; root gives them half the credential for free.
Denying root login removes the target rather than defending it. An attacker who
compromises a normal user’s key still has to escalate, which is a second
obstacle and — because sudo is logged — a much louder one.
The options, precisely
Section titled “The options, precisely”PermitRootLogin takes four values, and the difference between two of them
catches people out:
| Value | Effect |
|---|---|
no |
Root cannot log in over SSH by any method. |
prohibit-password |
Root may log in with a key, but not a password. |
forced-commands-only |
Root may log in with a key, and only to run a command specified in authorized_keys. |
yes |
Root may log in with a password. |
Use no. Reach for prohibit-password only if automation genuinely needs to
authenticate as root — and prefer giving that automation its own account with
scoped sudo instead.
Related
Section titled “Related”- Require key-only authentication — apply this first; it’s what makes losing root login safe.