How to Enable SSH on Debian 9

In this article, we will show you how to enable root access for SSH on a Debian 9 server.

Before we start with setting up our SSH service, we need to know what SSH actually is. SSH stands for Secure Shell and it is a UNIX-based command interface and protocol which usually is used to gain secure access to a remote machine. Luckily, SSH is turned on by default on a Debian 9 Server install. While SSH is turned on, we also know that a fresh installation of Debian 9 comes with root access disabled, which means you will not be able to log in directly to your server via SSH as the root user. However, you will be able to run commands with the same authority as the root user when using the ‘sudo’ prefix on your commands. If you are constantly working on your server and you need root access, it’s more comfortable to log in directly as a root user instead of using the ‘sudo’ command all the time.

We can also configure SSH to allow specific users or groups, as well as blacklisting certain users or groups from having access which can make server management a lot easier. Let’s get started.

Several requirements should be met before we can continue.

Requirements:

• A server running Debian 9 or later
• Access via SSH to your VPS
• A regular user that can use ‘su’ or ‘sudo’ to gain root privileges

Log in to your Debian VPS via SSH as a user with ‘sudo’ privileges:

ssh user_name@Server_IP_Address -p Port_Number

Enable SSH Root Login

We need to edit the main SSH configuration file ‘sshd_config‘ so we can enable logging directly as root. In this tutorial, we will use nano as our text editor, but you can freely use any editor you want.

sudo nano /etc/ssh/sshd_config

Find the following line in the file.

#PermitRootLogin prohibit-password

There are two steps to enable the root login.

In the first step, uncomment the line by removing the # character at the beginning of the line, like the following example:

PermitRootLogin prohibit-password

In the second step, simply change the ‘prohibit-password’ to ‘yes’ like in the example shown below:

PermitRootLogin yes

When you finish editing the SSH configuration file, save it and restart the SSH service for the changes to take effect. You can do that by running the following command:

sudo systemctl restart ssh.service

Now when you try to log in as a root user, you should receive an output like this:

login as: root
root@Server_IP_Address password:
Linux hostname 2.6.32-042stab131.1 #1 SMP Wed Jun 20 16:32:07 MSK 2018 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root@hostname:~#

Controlling SSH User Logins

If your system has a large number of user accounts, then you can use this section and see how you can limit the remote access to your server.

Open the SSH configuration file/etc/ssh/sshd_config

sudo nano /etc/ssh/sshd_config

There are several options used which will allow or deny access to your server via SSH.

Allowing Users

The first option is to allow a specific user to have remote access to your server via SSH.

Go to the bottom of the SSH configuration file and add AllowUsers on a new line. You can add multiple users by specifying their usernames using a space between them. For example, we will configure users ‘test1’ and ‘test2’ to have access via SSH using:

AllowUsers test1 test2

Once the changes have been made, you need to restart the SSH service.

sudo systemctl restart ssh

Note that all other users who are not in the AllowUsers list will not be able to access the system via SSH.

Allowing Groups

The second option is to allow the entire group to have remote access to your server via SSH.

Go to the bottom of the SSH configuration file and add/edit AllowGroups on a new line. You can add the allowed groups by using a space between them. For example, group ‘root’ and ‘test_group’ will have access to remote SSH if we configure SSH like this:

AllowGroups root test_group

Only those who are in the groups ‘root’ and ‘test_group’ will now be able to connect to the server remotely via SSH.

Restart the SSH service to take effect the changes.

sudo systemctl restart ssh

Denying Users

The third option is to disable or deny SSH access to certain users. This is quite similar to allowing a user or group, with only the keyword changing between them.

Open your SSH configuration file and add/edit DenyUsers on a new line. You can add the denied users by using a space between their usernames. In the next example, user ‘test1’ and ‘test2’ will not have access to remote SSH:

DenyUsers test1 test2

All other users not specified in the DenyUsers list will be able to access the server via SSH.

Restart SSH service to take effect the changes.

sudo systemctl restart ssh

Denying Groups

The fourth option is to disable or deny SSH access to an entire group. Just like denying a user, denying a group can be done with just a simple keyword in the configuration file.

Open your SSH configuration file and add/edit DenyGroups as a new line. You can add the denied groups by using a space between. For example, group ‘root’ and ‘test_group’ will not have access to remote SSH.

DenyGroups root test_group

Only those who are not in the groups ‘root’ and ‘test_group’ will be able to connect to the server remotely via SSH.

That’s it! In this tutorial, we’ve learned how to enable root login on SSH on your server, and we also showed you how to configure your server’s SSH permissions for individual users or for an entire group.

If you use one of our Managed VPS Support services, you can simply ask our system administrators to enable root login through SSH on your Debian server, or allow/deny users and groups access. They are available 24/7 and will take care of your request immediately, along with any other requests that you may have.

PS. If you find this blog post useful, please share it with your friends via social media networks, or if you have any questions please leave a comment below and we will reply to it. Thanks!