[SOLVED] There isn't the line: Permit RootLogin in my ssh config!

massy · 09-24-2014, 05:27 AM

I want to disable root access via ssh, this is the /etc/ssh/ssh_config file on my server. Where should I add the line?

Code:

$OpenBSD: ssh_config,v 1.25 2009/02/17 01:28:32 djm Exp $

# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options.  For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
# Protocol 2
# PermitRootLogin no  // I tried it, but it doesn't work!
# SyslogFacility AUTH
# Host *
#   ForwardAgent no
#   ForwardX11 no
#   RhostsRSAAuthentication no
#   RSAAuthentication yes
#   PasswordAuthentication yes
#   HostbasedAuthentication no
#   GSSAPIAuthentication no
#   GSSAPIDelegateCredentials no
#   GSSAPIKeyExchange no
#   GSSAPITrustDNS no
#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   Port 22
#   Protocol 2,1
#   Cipher 3des
#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
#   EscapeChar ~
#   Tunnel no
#   TunnelDevice any:any
#   PermitLocalCommand no
#   VisualHostKey no
Host *
ControlMaster auto
ControlPath ~/.ssh/master-%r@%h:%p
#       GSSAPIAuthentication yes
# If this option is set to yes then remote X11 clients will have full access
# to the original X11 display. As virtually no X11 client supports the untrusted
# mode correctly we set this to yes.
        ForwardX11Trusted yes
# Send locale-related environment variables
        SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
        SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
        SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
        SendEnv XMODIFIERS

af7567 · 09-24-2014, 06:37 AM

For ssh server options you want to edit /etc/ssh/sshd_config. You are looking at the client config at the moment. You can add the line PermitRootLogin no to disable root logins. You might also want to look at the DenyUsers and AllowUsers options too.

massy · 09-24-2014, 07:03 AM

Quote:

Originally Posted by af7567

For ssh server options you want to edit /etc/ssh/sshd_config. You are looking at the client config at the moment. You can add the line PermitRootLogin no to disable root logins. You might also want to look at the DenyUsers and AllowUsers options too.

where should I do that!?

af7567 · 09-24-2014, 04:12 PM

You may already have a commented out PermitRootLogin option shown. In my sshd_config I have an Authentication options area with PermitRootLogin commented. sshd_config doesn't really have any sections so you can put the options anywhere on a line of their own - but if you already have the option commented out in there then you can use that one.

ilesterg · 09-25-2014, 07:32 AM

Quote:

Originally Posted by massy

where should I do that!?

Edit the file /etc/ssh/sshd_config, look for the option PermitRootLogin, and make sure the value is No. restart sshd

Code:

sudo service restart sshd