How do you deny root logins with ssh?

Thaidog · 04-01-2005, 08:16 PM

What do I need to configure to deny root logins with ssh?

mjmwired · 04-01-2005, 08:58 PM

Not sure if this applies to all distributions.

Look in /etc/ssh/sshd_config
Look for line: PermitRootLogin

(my mistake, I accidentally wrote /etc/ssh_config)

Thaidog · 04-01-2005, 10:32 PM

Thanks... I've got a G4 as you can see from this cat'd file below... there is no line like that... can I add something?

haidogs-G4:/etc tylerm$ cat ssh_config
# $OpenBSD: ssh_config,v 1.16 2002/07/03 14:21:05 markus Exp $

# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for various options

# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsAuthentication no
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# BatchMode no
# CheckHostIP yes
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22
# Protocol 2,1
# Cipher 3des
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
# EscapeChar ~

Ben2210 · 04-02-2005, 02:05 AM

It's not in ssh_config, it's in sshd_config.

On my system, the full path is /etc/ssh/sshd_config

Thaidog · 04-02-2005, 02:37 AM

Ok removed the # and put no.... thanks for the help!

narmida · 03-01-2006, 04:36 PM

Other question: if u make a new user with password then it automaticly may login thru SSH.
if you installed the server a year ago you never remeber what to do.
so think a bit further with security :

permitroot must be always off
ssh version should always be 2 version 1 is a telnet like crap so u can sniff the passwords

and las but not least :

AllowUsers itsme andme

With this u say that only users itsme andme may login so if permit root is yes and allowusers is only a user root wont get in ;-)

if someone hacks half youre server and want to login with his account he CANT

this is why the most crappers bring their own ssh ;-)