He is saying that being able to ssh in as root in any way, shape or form, still requires you to allow root to login remotely.

Which is bad.

A user wouldn't login as root. That is the point. You login as your regular user, and then use something to escalate your privileges. (su, sudo)

Yes su root is better the ssh root because you aren't connecting remote as root. However sudo root is even better than su root...

nomb

How am I connecting remote if I am connecting via SSH to another name on the same server? Nothing goes out through PuTTY, it's all happening within the server. Not even going out on the hosts's LAN. Using su requires entering a password which gets transitted via PuTTY.

Edit: I found sudo. Need to be root to see it. So I will add 'me' to the /root/sudoers.txt?

The existing entries look like this, which confuses me. Name1 and name2 are host's techs.
root ALL=(ALL) ALL
name1 ALL = PASSWD: ALL
name1 ALL = NOPASSWD: ADMIN
name2 ALL = NOPASSWD: ADMIN
name2 ALL = PASSWD: ALL
admin ALL = NOPASSWD: ADMIN

Would I add
me ALL = NOPASSWD: ROOT

You may be working locally, but unless your /etc/ssh/sshd_config file contains "PermitRootLogin no" (my version defaults to yes unless you specifically set it to no) then someone can remotely try to access the root account by guessing the password.

To set up sudo I use the visudo command. I don't recommend using the keywords ALL and NOPASSWD together since they provide full root access if someone guesses that account's password.

Where do I get visudo?

If sudo is installed it should already be there as well. But visudo needs to be ran with root privileges. Which also means it should be in one of the sbins.

nomb

Do you suppose there is some good reason why our host has not installed sudo? I could ask them but I'm trying to avoid entering new ticket.

Add

PermitRootLogin no

to your ssh_config file.

If I remember correctly there was a keyword for this setting that allowed access via a key file, but denied password access to root. I think the keyword is without-password.

I don't dare do that - danger of blocking my hosts's techies. But I'm sure it is good advice.

None that I can think of other than they are trying to restrict who has root access. However, that is REALLY self-defeating as without sudo, someone is more likely to hand out the root password. Sudo was designed to prevent exactly that.

I'd ask for it to be installed. It just seems very wrong that it wasn't by default.

I hate to annoy our host. They give us a very special low monthly fee for our dedicated server, because the host's owner hates malware and because we are all volunteers and the forum has no income other than donations.

I'm marking this SOLVED because it's getting so long. In the future I will try to keep my threads more focused.

I understand your reluctance to risk annoying someone who is giving you a good deal, but if your host hates malware, then they should understand the need for tools like sudo.