Linux SSH Configuration And How To Disable SSH Direct Root Login

May 21, 2011 | By
| Reply More

SSH is the secure shell for remote login. SSH provides an encrypted and secure communication for accessing a remote machine. You can login to a machine on the network and execute commands on it as if it was present locally. SSH has replaced telnet and other insecure remote shell protocols. In telnet, all the data along with passwords was sent in plain text. But in SSH, only encrypted data is transferred over the network. This article provides some general options for configuring the SSH server.

Configuration File

The configuration file for ‘SSH’ daemon is “/etc/ssh/sshd_config”. Like most of the configuration files, this file is writable only by its root. It contains keyword-argument pairs that control the behavior of SSH daemon. An example of such pair is "port 2222" (explained later).

Here are some of the important options for SSH server.

Disable Direct Root Login

'PermitRootLogin' keyword decides whether root should be allowed to SSH to the machine or not. The root user is allowed by default, so default value is "yes". To disable root login, use 'PermitRootLogin no'.
Another option available for this keyword is "without-password" which disables password authentication for root.

ListenAddress

With ListenAddress keyword, you can specify the address at which your SSH server listens for requests. The default is to listen to all the addresses available for your system. But you can limit by specifying specific addresses like:

ListenAddress 192.168.1.1

Service Port

The keyword "Port" is used to specify the port at which SSH connections are accepted. The default port for SSH service is 22. But you can specify your own port. For example:

Port 2222

PasswordAuthentication

PasswordAuthentication option specifies whether the authentication should be through passwords. The default is "yes".

PasswordAuthentication yes

PermitEmptyPasswords

PermitEmptyPasswords tells if the users can login to the accounts with null passwords or not. For this option, PasswordAuthentication must be set to yes.

PermitEmptyPasswords no

But the default is "no".

PrintMotd

When a user logs in to a Linux system interactively, a message is printed after successful login. This message comes from the "Message of The Day" file, “/etc/motd”. PermitMotd specifies whether “/etc/motd” should be printed by SSH or not. The default is "yes".

PrintMotd no

PrintLastLog

Along with /etc/motd, the details (like date and time) of last login of the user are also printed. The option PrintLastLog is used to switch this message. The default argument is "yes".

PrintLastLog yes

AllowUsers

The list of users allowed to SSH is given by AllowUsers keyword. The usernames are separated with white space.

AllowUsers bob alice

By default, all users are allowed.

DenyUsers

Those users who can't login through SSH are specified with DenyUsers.

DenyUsers kevin

If a username is present in both AllowUsers and DenyUsers, then the order in which these two are read is DenyUsers and AllowUsers, i.e. DenyUsers is read before AllowUsers.

MaxAuthTries

To limit maximum number of login attempts per connection through SSH, MaxAuthTries is used.

MaxAuthTries 3

It will set the maximum number of authentication attempts to 3. The default value is 6.

Filed Under : HOWTOS, LINUX HOWTO

Tagged With :

Free Linux Ebook to Download

Leave a Reply

All comments are subject to moderation.