Search our site for answers
Help Docs Server Administration Linux Server Administration Setting Up Alternate SSH Users

Setting Up Alternate SSH Users

Enhance server security by disabling root SSH access and granting users 'superuser (su)' access for an additional layer of authentication.
Security
2 min read

In addition to setting up SSH Keys for your users to help keep your server secure, you can also disable root from having access over SSH. By allowing a user to have “superuser (su)” access rather than using root to log in via SSH, you create an extra level of authentication, making it more difficult for hackers to access your server.

  1. Once you’ve logged in to your server via SSH, you can add a new user to allow ssh and su access:
    useradd -G wheel sshuser
  2. Make sure to give them a password:
    passwd sshuser

    Warning:

    It is important that you test that the new user can log in and sudo su – to root. Follow the next step below to verify and avoid locking yourself out when you change the root ssh access.
  3. Test and make sure you can ssh in as the new user and sudo su – from the new user:
    [username: ~sampleuser$ ssh sshuser@192.0.2.0
[sshuser@192.0.2.0 password: **********
  4. The output on the screen should look something like this:
    ################################################################################
# Attention: Monitoring, Support, etc. #
# This server is a LiquidWeb cPanel instance. #
################################################################################
--------------------------------------------------------------------------------
Software
--------------------------------------------------------------------------------

This server uses the CentOS 7 operating system
[sshuser@host ~]$
  5. Test using su to login to root:
    [sshuser@host ~]$ sudo su -

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for sshuser: 
[root@host ~]#
  6. Now you can edit the /sshd_config file to disable root login. Change #PermitRootLogin from yes to no and remove the # sign to make it active:
    vim /etc/ssh/sshd_config
LoginGraceTime 1m
PermitRootLogin no
#StrictModes yes
  7. To save all your changes, restart sshd:
    service sshd restart
Was this article helpful?