Allow UID 0 accounts to login but not root over SSH


More than once, I've needed root access to a server over SCP.  As we all know, allowing SSH access with the root user is a blaring security hole because the user is a well-known userid with superuser access. This makes it the first thing that a hacker or script-kiddie will check.  If you create another user with userid number 0 and set PermitRootLogin to 'no' in the sshd_config file, you will still not be able to login.  The PermitRootLogin option actually blocks ANY user if their user id number equals 0. So how do we get the best of both worlds, here is how. 

  • openssh 4.x
  • (part of core pam modules)
  1. Create a non-root user with user ID number 0.

    #> useradd -u0 -o testuser
    #> passwd testuser
  2. Create list of users that will be denied. One username per a line.
    #> echo "root" >> /etc/ssh/sshd.deny
  3. Now you need to edit the /etc/pam.d/ssh file. Make a backup of this file. If you make a mistake, you may not be able to login with any user. I also recommend login another terminal session running as root before changing this file. This will make sure you have an available root session to fix any mistakes you make. See a configuration line like the following:
    auth       include      system-auth

    now add the following line before the previously mentioned pam configuration line.

    auth       required item=user sense=deny file=/etc/ssh/sshd.deny onerr=succeed

    Your 'auth' directives in the /etc/pam.d/ssh should look like this:

    auth       required item=user sense=deny file=/etc/ssh/sshd.deny onerr=succeed
    auth       include      system-auth
  4. Now you need to allow root logins in ssh daemon. This is done by setting the PermitRootLogin in the /etc/ssh/sshd_config to 'yes'. This may be the default depending on the distribution you use.
     PermitRootLogin yes

    Save and exit the sshd_config file.

  5. Restart/Reload ssh daemon to apply changes.
    #> service sshd reload

First test your new root ID:

#> ssh testuser@
testuser@'s password: 
Last login: Fri Apr 15 13:45:38 2011 from
[root@CentOS ~]#

Next test logging as root:

#> ssh root@
root@'s password: 
Permission denied, please try again.
root@'s password: 

Now you should be able to login with your non-root user that will have root access. If you try to login with root, you will allows get "Permission denied, please try again."  This allows you to login with a root level user without having the blaring security hole of allowing a well-known superuse access.For even better security, look in to limiting where certain users can login in from.  This can also be done with PAM.