In this article, we will show you how to enable root access for SSH on a Debian 9 server.
We can also configure SSH to allow specific users or groups, as well as blacklisting certain users or groups from having access which can make server management a lot easier. Let’s get started.
Several requirements should be met before we can continue.
Requirements:
- A server running Debian 9 or later
- Access via SSH to your VPS
- A regular user that can use ‘su’ or ‘sudo’ to gain root privileges
Log in to your Debian VPS via SSH as a user with ‘sudo’ privileges:
ssh user_name@Server_IP_Address -p Port_Number
Enable SSH Root Login
We need to edit the main SSH configuration file ‘sshd_config
‘ so we can enable logging directly as root. In this tutorial, we will use nano as our text editor, but you can freely use any editor you want.
sudo nano /etc/ssh/sshd_config
Find the following line in the file.
#PermitRootLogin prohibit-password
There are two steps to enable the root login.
In the first step, uncomment the line by removing the # character at the beginning of the line, like the following example:
PermitRootLogin prohibit-password
In the second step, simply change the ‘prohibit-password’ to ‘yes’ like in the example shown below:
PermitRootLogin yes
When you finish editing the SSH configuration file, save it and restart the SSH service for the changes to take effect. You can do that by running the following command:
sudo systemctl restart ssh.service
Now when you try to log in as a root user, you should receive an output like this:
login as: root root@Server_IP_Address password: Linux hostname 2.6.32-042stab131.1 #1 SMP Wed Jun 20 16:32:07 MSK 2018 x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. root@hostname:~#
Controlling SSH User Logins
If your system has a large number of user accounts, then you can use this section and see how you can limit the remote access to your server.
Open the SSH configuration file/etc/ssh/sshd_config
sudo nano /etc/ssh/sshd_config
There are several options used which will allow or deny access to your server via SSH.
Allowing Users
The first option is to allow a specific user to have remote access to your server via SSH.
Go to the bottom of the SSH configuration file and add AllowUsers
on a new line. You can add multiple users by specifying their usernames using a space between them. For example, we will configure users ‘test1’ and ‘test2’ to have access via SSH using:
AllowUsers test1 test2
Once the changes have been made, you need to restart the SSH service.
sudo systemctl restart ssh
Note that all other users who are not in the AllowUsers list will not be able to access the system via SSH.
Allowing Groups
The second option is to allow the entire group to have remote access to your server via SSH.
Go to the bottom of the SSH configuration file and add/edit AllowGroups
on a new line. You can add the allowed groups by using a space between them. For example, group ‘root’ and ‘test_group’ will have access to remote SSH if we configure SSH like this:
AllowGroups root test_group
Only those who are in the groups ‘root’ and ‘test_group’ will now be able to connect to the server remotely via SSH.
Restart the SSH service to take effect the changes.
sudo systemctl restart ssh
Denying Users
The third option is to disable or deny SSH access to certain users. This is quite similar to allowing a user or group, with only the keyword changing between them.
Open your SSH configuration file and add/edit DenyUsers
on a new line. You can add the denied users by using a space between their usernames. In the next example, user ‘test1’ and ‘test2’ will not have access to remote SSH:
DenyUsers test1 test2
All other users not specified in the DenyUsers list will be able to access the server via SSH.
Restart SSH service to take effect the changes.
sudo systemctl restart ssh
Denying Groups
The fourth option is to disable or deny SSH access to an entire group. Just like denying a user, denying a group can be done with just a simple keyword in the configuration file.
Open your SSH configuration file and add/edit DenyGroups
as a new line. You can add the denied groups by using a space between. For example, group ‘root’ and ‘test_group’ will not have access to remote SSH.
DenyGroups root test_group
Only those who are not in the groups ‘root’ and ‘test_group’ will be able to connect to the server remotely via SSH.
That’s it! In this tutorial, we’ve learned how to enable root login on SSH on your server, and we also showed you how to configure your server’s SSH permissions for individual users or for an entire group.
PS. If you find this blog post useful, please share it with your friends via social media networks, or if you have any questions please leave a comment below and we will reply to it. Thanks!