Dave, I’ve been using ssh like a good Internet citizen to connect to my remote server, but for security reasons the ISP has disabled root login from ssh on every server. Problem is, I really need to be able to log in as root occasionally. How do I re-enable it?
First off, are you absolutely sure this is something that you really want to do? Remember, you should have a regular user account already, and it’s only a few extra keystrokes to ssh to your account, then use su or sudo to become root for specific tasks. That’s what I do, and that’s what I recommend too.
Further, you already know that you should have a really weird, impossible-to-break or guess root password, right? One tip: most Unixes let you have arbitrarily long passwords, so don’t hesitate to do something that’s more than the usual 6-8 characters, and, really, add some punctuation and mixed upper/lower case letters, at a minimum.
For example, my root password is . See what I mean?
More seriously, if you are convinced that you really do want to reenable root login through ssh then you’ll want to follow these two simple steps:
- Open up /etc/ssh/sshd_config and set “PermitRootLogin” to “yes”. (Your ISP probably set it to “without-password”)
- You also need to restart the sshd process. This is done by killing the existing one (use ps -aux|grep sshd to get the process ID, then use kill to zap it), then restarting /usr/sbin/sshd
Again, make me feel more secure. Make sure you really want to do this, and then make sure that you have a really solid, impossible to guess root password.
Yesterday one of my clients asked me to give them SSH priviledges to there home directory.
So I edited the SSHD_CONFIG file, and added the line:
#AllowUsers admin, client1, client2
and
#DenyUsers admin is stil mentioned in the file. Both lines are inactive because of the: #.
I am only able to log in with admin priviledges an not with root priviledges. And because I don’t have these priviledges I cannot restore the SSHD_CONFIG file with the original one.
Does anyone have any idea on how to change the SSHD_CONFIG file without root priviledges.
Alex van Rijs
instead of stopping and starting sshd, which will log you out, us ps -ef|grep sshd to find the pid, then # kill -HUP pid
That will restart sshd, and direct root login will now work. (Just don’t tell the security manager)
Our host lets us enable root access but then we cannot switch it off. We only want to change php.ini and to have ssh connection. It seems like overkill? What do you recommend
also check that at the bottom of the sshd_config file there are not any default deny root etc lines as well as the previous permitting root login.
d.
I was already successfully logging in as root without this setting enabled.
I was however getting “Access denied” printf itbetween the “Loging as…” and “…password:” printfs???
I may have root enabled but I also have a powerfull port guard called fail2ban.
3 wrong attemps and your IP is banned for long time.
This will avoid sshater scripts, brute forcing ssh with is not that hard to do.
take a look on how to setup fail2ban for ssh
http://felipeferreira.net/?p=47
WISSOO, I think I’d check the permissions of the enclosing directory in addition to the permissions and ownership of the file itself.
dave,
i’m getting the following error when im starting the ssh service: “/var/chroot/sshd should be owned by root not group or world-writable”. i changed the ownership to root.wheel but still, any idea?
thank you…. it helped for me in freebsd 5.5
forgot to add that I am trying not to use GUI, just the cli.
ok… but how to enable root to login on ubuntu? I have installed ssh and I can try to log in but after few seconds I receive Access Denied message.
Hi i cannot see any thing in the /etc/ssh/sshd_config. This comes up as blank ?? I am doing this as root remotly. Help
You can also use: service sshd restart
Ok. I just got to say it… What’s the big deal about allowing root login on ssh? Seriously. As you say: “make sure that you have a really solid, impossible to guess root password” well, that should be obvious for _every_ user account. Furthermore, if your basic user account has su or sudo access, you can su to root anyway so disabling root login has not gained you any security. Hacker figures out your user account password (because you used your birth date like you do on _all_ you accounts), then she logs in to your machine, su’s to root, makes the change in sshd_config and restarts ssh. Ok, now she has root login access. Moral of the story is make better passwords. The only thing the might happen with root login access is: you get a little drunk, forget you’re root and run ‘rm -Rf /*’. Opps, to bad you weren’t logged in as a regular user!
Hi Dave,
Great article!
I found an easier way to restart SSHD, so I thought I would share it:
/etc/init.d/sshd restart
Cheers,
Z-
Killing the sshd process as a remote user is rather dangerous. You will be logged out with no way to log back in. A better way to do this is to tell sshd to re-read its configuration file (as root):
kill -HUP process_id
Hi all,
i want also to access to another server using SSH but i don’t want that he asks me the passwrd?!
please help!
Hi,
I am using an already built filesystem on my board running on MIPS architecture. It does not hav a root nor home. I want to enable it. Please can you guide me?
regards,
chandru.
Dave,
I’m with you on advising against loging on directyly to root using SSH.
It’s hard to express how many problems that can cause and how insecure it may be compared to using the console provided by the hosting company.
That’s the safest way to do it and it isn’t that much slower or harder than directly loging on with SSH.
I certainly would never do it and would be interested in why he things he needs too log on that way.
F Woodman Jr