Linux SSH Configuration And How To Disable SSH Direct Root Login

SSH is the secure shell for remote login. SSH provides an encrypted and secure communication for accessing a remote machine. You can login to a machine on the network and execute commands on it as if it was present locally. SSH has replaced telnet and other insecure remote shell protocols. In telnet, all the data along with passwords was sent in plain text. But in SSH, only encrypted data is transferred over the network. This article provides some general options for configuring the SSH server.

Configuration File

The configuration file for ‘SSH’ daemon is “/etc/ssh/sshd_config”. Like most of the configuration files, this file is writable only by its root. It contains keyword-argument pairs that control the behavior of SSH daemon. An example of such pair is "port 2222" (explained later).

Here are some of the important options for SSH server.

Disable Direct Root Login

'PermitRootLogin' keyword decides whether root should be allowed to SSH to the machine or not. The root user is allowed by default, so default value is "yes". To disable root login, use 'PermitRootLogin no'.
Another option available for this keyword is "without-password" which disables password authentication for root.


With ListenAddress keyword, you can specify the address at which your SSH server listens for requests. The default is to listen to all the addresses available for your system. But you can limit by specifying specific addresses like:


Service Port

The keyword "Port" is used to specify the port at which SSH connections are accepted. The default port for SSH service is 22. But you can specify your own port. For example:

Port 2222


PasswordAuthentication option specifies whether the authentication should be through passwords. The default is "yes".

PasswordAuthentication yes


PermitEmptyPasswords tells if the users can login to the accounts with null passwords or not. For this option, PasswordAuthentication must be set to yes.

PermitEmptyPasswords no

But the default is "no".


When a user logs in to a Linux system interactively, a message is printed after successful login. This message comes from the "Message of The Day" file, “/etc/motd”. PermitMotd specifies whether “/etc/motd” should be printed by SSH or not. The default is "yes".

PrintMotd no


Along with /etc/motd, the details (like date and time) of last login of the user are also printed. The option PrintLastLog is used to switch this message. The default argument is "yes".

PrintLastLog yes


The list of users allowed to SSH is given by AllowUsers keyword. The usernames are separated with white space.

AllowUsers bob alice

By default, all users are allowed.


Those users who can't login through SSH are specified with DenyUsers.

DenyUsers kevin

If a username is present in both AllowUsers and DenyUsers, then the order in which these two are read is DenyUsers and AllowUsers, i.e. DenyUsers is read before AllowUsers.


To limit maximum number of login attempts per connection through SSH, MaxAuthTries is used.

MaxAuthTries 3

It will set the maximum number of authentication attempts to 3. The default value is 6.

Bobbin Zachariah 6:04 pm

About Bobbin Zachariah

Founder of LinOxide, passionate lover of Linux and technology writer. Started his career in Linux / Opensource from 2000. Love traveling, blogging and listening music. Reach Bobbin Zachariah about me page and google plus page.

Author's All Posts
Like to become part of Linoxide Team and contribute tips? Contact us here.


Your email address will not be published. Required fields are marked *

All comments are subject to moderation.