Allow root to login via SSH

Generally for a secured Linux system, the root user is not allowed to login into the server via SSH directly. But from time to time, you might be just working on your own little sandbox and would like to enable direct root ssh login.

Here are a couple of sshd configuration keywords you need to check and modify accordingly:

PermitRootLogin

It should be set to “yes” or commented out since “yes” is the default value.

DenyUsers
AllowUsers
DenyGroups
AllowGroups

If any above keywords are enabled (uncommented out), you want to make sure the root user and its group is not listed in DenyUsers and DenyGroups keywords respectively. And it(or the group) is listed in AllowUsers or AllowGroups.

The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. All of the specified user and group tests must succeed, before user is allowed to log in.

Using DenyGroups or AllowGroups keywords is a good idea because you can modify user group instead of editing sshd_config file every time you need to allow/disallow a user and you don’t have to restart sshd.

One thing to note is on Red Hat systems, PAM is used. See the below snippet from the sshd_config file.

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux
# and may cause several  problems.
UsePAM yes

So pam_listfile.so might be used by SSH to control which users (including root) can login or not. Take a look /etc/pam.d/sshd to check that.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s