Code Scraps: Allow root to login via SSH

Most modern Linux systems will prevent the root user from logging in remotely via SSH. This is a very good security practice and you should avoid altering this as it greatly weakens your Linux system security.

However; for my own personal home network, I often login as root on on an internal file server in the house to download and move files around. The server itself is only accessible within the home network and only responds to SSH locally, and does not have any firewall mappings in place from the router to communicate to the outside world. Furthermore I’ve taken steps on the Firewall to isolate the machine from the outside world.

I am willing to risk the reduction in security in this instance as I am comfortable I have taken sufficient steps to prevent the likelihood of attack.

Enable remote root login

First of all – go see my basic guide on iptables, and make sure your Linux machine has SSH rules (ideally limiting to just local network only). If you plan on connecting to the Linux machine over the Internet I must really stress that you should never, EVER allow root to remote login, as this is usually one of the first things a port scanning bot or a hacker will try, and doing this will greatly reduce your machine’s security.

Secondly, edit the SSH config (using the Nano editor in this instance):

~# sudo nano /etc/ssh/sshd_config

Find the line (usually about half way down the file) that reads:

PermitRootLogin without-password

Replace the line with:

PermitRootLogin yes

Press ‘CTRL+X’ then ‘Y’ to close and save, then restart the SSH service:

~# sudo /etc/init.d/ssh restart

Now you should be able to log in with the root user and password remotely.

Final note

You shouldn’t ever need to give remote access to the root user and should make a habit of avoiding doing so at all cost. In commercial environments this is a dangerous idea that should always be actively prevented. If you do feel the need to grant remote access to root, do it under extreme caution – make sure the system is as secure as you can make it, and only then consider granting remote access. Also I would highly recommend the use of Certificate based login instead of password login.

Always make sure Root has a password too – use the following command to set the password for root (from a sudo’er account).

~# sudo passwd root

Always remember that you’re not the only one trying to access your computer. Hackers and automated crawlers are always looking for vulnerable systems and will always try the obvious attacks first.

Leave a Reply

Your email address will not be published. Required fields are marked *