Block root access to ssh

To block root access to ssh, would I edit /etc/ssh/sshd_config and change this line

PermitRootLogin yes


PermitRootLogin no

or is more required? And are they any downsides to restricting root access to ssh?


Did you read the man page? It says

Specifies whether root can log in using ssh(1). The argument must be yes, prohibit-password, forced-commands-only, or no. The default is yes.

If this option is set to prohibit-password (or its deprecated alias, without-password ), password and keyboard-interactive authentication are disabled for root.

If this option is set to forced-commands-only, root login with public key authentication will be allowed, but only if the command option has been specified (which may be useful for taking remote backups even if root login is normally not allowed). All other authentication methods are disabled for root.

If this option is set to no, root is not allowed to log in.

What is unclear about it? Specialy the last line.

Remote maintenance by directly logging into the user “root” will not be possible – SSH networking security topics are here – <;.

  • Remote maintenance will still be possible by using SSH sessions to an administrative user.

Hard-core security is achieved by limiting access to the user “root” to be only from physically sitting at the system’s physical console – no physical access to the system’s console, no possibility to be “root” …