PermitRootLogin no still allows root login via SSH

April 1, 2019 850 views
Initial Server Setup Ubuntu 18.04

I have updated PermitRootLogin in /etc/ssh/sshd_config to no and issued a service ssh restart (multiple times) and I can still login via SSH as root using a public key. This should be blocked correct?

I have read the related Q&As here and various others from a Google Search. As far as I can tell I’ve done the right thing but I can still login.

root@infra:~# cat /etc/ssh/sshd_config  | grep PermitRootLogin
PermitRootLogin no
# the setting of "PermitRootLogin yes
root@infra:~# 

Restarting ssh returns no errors, etc.

root@infra:~# service ssh restart
root@infra:~# 

PasswordAuthentication is also set to no (although root never had a password – started with a pub key installation) and for good measure UsePAM is set to no.

Love any suggestions!

2 comments
  • Do you have an ssh key authorising your logins? If so, ssh key auths override the PermitRootLogin function. Try removing /root/.ssh/authorized_keys.

  • I had removed the entire /root/.ssh directory for good measure and root was still able to login.

    Now whenever I spool up a new server I just do a restart after updated sshd_config and removing /root/.ssh (the whole thing for good measure).

    Once that’s is done all is well.

    Really strange.

4 Answers
cmckulka April 6, 2019
Accepted Answer

FYI re. a solution. Restarting the service didn’t cause the new settings to take effect. Rebooting the server did. No idea why that is the case.

OK, even stranger … I delete the .ssh directory from the root user using my sudo user. I can still login in as root on that machine even after a service ssh restart.

Mystified!

for me, i had

    ControlMaster auto
    ControlPath ~/.ssh/sockets/%r@%h-%p

set in my ~/.ssh/config
deleting the control path directory fixed the issu

Have another answer? Share your knowledge.