Skip to content

Disable root login over SSH

Severity: criticalApplies to: OpenSSH 8.x+Applies to: Debian / UbuntuApplies to: RHEL / Rocky / AlmaMaps to CIS Ubuntu Linux 22.04 LTS Benchmark v2.0.0 recommendation CIS 5.1.20
The fix/etc/ssh/sshd_config
Terminal window
PermitRootLogin no

Then reload the daemon. The service name differs by distribution:

Terminal window
sudo systemctl reload ssh # Debian, Ubuntu
sudo systemctl reload sshd # RHEL, Rocky, Alma, Fedora

Root exists on every Linux host and its name never has to be guessed, so it absorbs the large majority of automated SSH brute-force traffic. Every other account requires an attacker to learn a username first; root gives them half the credential for free.

Denying root login removes the target rather than defending it. An attacker who compromises a normal user’s key still has to escalate, which is a second obstacle and — because sudo is logged — a much louder one.

PermitRootLogin takes four values, and the difference between two of them catches people out:

Value Effect
no Root cannot log in over SSH by any method.
prohibit-password Root may log in with a key, but not a password.
forced-commands-only Root may log in with a key, and only to run a command specified in authorized_keys.
yes Root may log in with a password.

Use no. Reach for prohibit-password only if automation genuinely needs to authenticate as root — and prefer giving that automation its own account with scoped sudo instead.