Location of PermitRootLogin Option
If there ever was a time when one should ask "What the heck were they thinking?!" This would be it. In my own experience, most Redhat/Fedora-core based Linux systems come with root SSH logins enabled. I know I am no security expert, but just from my own instincts this seems like a very bad thing. I personally prefer to disable root login and just su to root when I need to do anything that requires root access.
In a nutshell, you simply have to su to root,open up the SSH Daemon configuration file, change one setting, and then either restart the SSH daemon or restart the Linux box to apply the change.
The file in which the SSH Daemon configuration is stored is named sshd_config. I emphasize the d because usually there is another file with a name close to this one in the same directory and you need to make sure that you do not edit the wrong file! In most Redhat/Fedora Core based environments, this file is located in the path:
/etc/ssh/sshd_config
If this is not the location of the file, you can attempt to find the file yourself by invoking the following commands as root. The main reason you have to do this as root is that the sshd_config file might be in a directory that is hidden from non-root users, and you will not find the file if you are not logged in as root.
[phil@bush ~]$ su
Password:
[root@bush phil]# cd /
[root@bush /]# find | grep sshd_config
./etc/ssh/sshd_config
./usr/share/man/man5/sshd_config.5.gz
[root@bush /]#
As you can see, only one file named exactly sshd_config. If you find multiple files with this name but in different paths, it can mean that you either have multiple SSH daemons running and listening on different ports, or that you are not using the "stock" SSH installation that came with your OS. If you are smart enough to be in either situation, then you probably don't need this document and you would be more than able to find the correct file to modify :). If neither situation applies to you, stop immediately and end your su session. You will need to do more research on Linux's startup procedures to find the correct file to modify.
Once you have found the file, you can make a backup of it using the command:
cp /etc/ssh/sshd_config /etc/ssh/sshd_config_MM-DD-YYYY-HHMM
This command assumes that your sshd_config file is in the path /etc/ssh. If this is not true, then use the correct path instead. MM-DD-YYYY-HHMM is today's current date and time. I try to avoid using the words "old" or "original" because if you look at the file listing again in 6 months, you won't remember when these files were in effect.
Open the sshd_config up in your favorite text editor and begin modifying it. I personally prefer to use the vim text editor (it's definitely an acquired taste), but you can use whatever editor is comfortable for you.
Look for a line that contains the string PermitRootLogin. Use your text editor's search feature to find this string. It is usually shown after a # sign indicating that it is a comment. The screenshot below shows how it appears in the sshd_config file on a sample system. The option has a red box around it.
Before you change anything, use your editor's search function to make sure that there is at most one active PermitRootLogin directive in this file. In most situations, the commented-out directive you see is the only reference, but if you find another reference which is not commented out, then you will need to modify that instead. Once you find the file, perform the following steps:
If your SSH Daemon starts when your Linux box boots up and if your environment can stand the downtime, you can simply invoke the command:
/sbin/shutdown -r now
to restart the Linux box. Of course, I have many friends who are far more skilled in Linux/Unix administration than I could ever hope to be, and many of them who could would kick my ass if I did not also provide the more elegant way of restarting the SSH daemon. On most Redhat/Fedora Core systems, you can usually invoke the command (as root):
/etc/init.d/sshd restart
If this command does not work, or if you are simply unsure, you can just bite the bullet, inform your users the box is going down for reboot, and reboot away!
Provided that you did not do anything other than the steps on this page, you should be able to SSH into the box, attempt to log in as root, and that attempt will fail. All non-root users who could log into the system before should still be able to do so. Any user who was previously able to su to root should still be able to do so. If something broke, then you can always restore the original configuration by copying the backup file you made at the top of this page back over the configuration file that you modified (you did remember to back up the original file, right?).
Use this information at your own risk and make sure you don't deviate from the steps. This is pretty basic stuff, but if you're not sure about what you are doing, then you really should be reading the documentation on the SSH Daemon itself before trying anything.
| Back to Stupid Networking Tricks | philatfacebook@gmail.com |