HowTos | Basics | Concepts

3. Restart the sshd service:

# service sshd restart

Enabling root login

To enable the root login back again, follow the exact reverse process.

1. Edit the /etc/ssh/sshd_config

file with a text editor and find the following line:

#PermitRootLogin no

2. Change the no to yes and or simply put ‘#’ at the beginning of the line so that it reads :

#PermitRootLogin yes

3. Restart the sshd service:

# service sshd restart

Disabling direct root login for non-root users

Sometimes allowing all users the ability to remotely log onto a system can be a security risk. There are many ways to limit who can remotely access a system. You can use PAM, IPwrapers, or IPtables to name a few. However, one of the easiest ways to limit who can access a system via SSH is to configure the SSH daemon.

The directive, AllowUsers, can be configured in /etc/ssh/sshd_config

. This directive can be followed by the list of user name patterns, separated by spaces. If specified, login is allowed only for those user names.

AllowUsers [username]

Where [username] is the username you want to allow.

For example, to allow ssh login to users john and teena and disable for it for rest of the users, modify the AllowUsers directive as :

AllowUsers john teena

Restart the sshd service for the changes to take effect :

# service sshd restart

Allow / disallow groups ssh login

To restrict groups, the option AllowGroups and DenyGroups are used in the file /etc/ssh/sshd_config

. The said options will allow or disallow users whose primary group or supplementary group matches one of the group patterns.

CentOS / RHEL 6 : How to Disable / Enable direct root login via telnet
SHARE THIS
FacebookTwitterGoogle+BufferPin ItEmail

CentOS / RHEL : How to disable root login or root access on a system

Why to disable root login?

– Having the root password defined is not necessary on a linux system. Root password can be disabled but it is not a good practice since the system prompts for the root password absolutely if in case it goes into the maintenance mode. It will not be possible to proceed further in this scenario with sudo access but root password should be provided.
– If an administrator is uncomfortable allowing users to log in as root for these or other reasons, the root password should be kept secret, and access to runlevel one or single user mode should be disallowed through boot loader password protection.
– If still root account need to be disabled on RHEL system for some reasons, the below methods can be followed:

  1. Changing the root shell
  2. Deleting the root password

1. Changing the root shell

For any security reasons to prevent users from logging in directly as root, the system administrator can set the root account’s shell to /sbin/nologin in the /etc/passwd file.

2. Deleting the root password

Deleting the root password also will disable the the access to root account. To do so use the passwd command :

# passwd -d root
Removing password for user root.
passwd: Success

CentOS / RHEL 5 : How to password-protect single user mode

Locking down single-user mode in RHEL5 requires editing /boot/grub/grub.conf and /etc/inittab files.

1. Define the single user login shell in /etc/inittab by adding a the below line :

# vi /etc/inittab
...
su:S:wait:/sbin/sulogin

Or you can also use output redirection to have the entry placed in the file /etc/inittab :

# echo "su:S:wait:/sbin/sulogin" >>/etc/inittab

2. Doing the above results in single-user mode showing the same login prompt normally seen in emergency (maintenance) mode :

RHEL 5 password protect single user mode

CentOS / RHEL 6 : How to password-protect single user mode

Locking down single-user mode in RHEL6 requires editing /boot/grub/grub.conf and /etc/sysconfig/init.

1. Change the definition of the single user login shell in /etc/sysconfig/init from sushell to sulogin

# vi /etc/sysconfig/init
...
# Set to '/sbin/sulogin' to prompt for password on single-user mode
# Set to '/sbin/sushell' otherwise
SINGLE=/sbin/sulogin       <--- changed from sushell to sulogin
...

2. You can also use sed to directly change the required line :

# sed -i "s,^SINGLE=.*,SINGLE=/sbin/sulogin," /etc/sysconfig/init

3. Doing the above results in single-user mode showing the same login prompt normally seen in emergency (maintenance) mode as shown below :

RHEL 6 password protect single user mode