DEV Community

Cover image for 7.Secure Root SSH Access
Thu Kha Kyawe
Thu Kha Kyawe

Posted on

7.Secure Root SSH Access

#aws #linuxlevel1

Lab Information

Following security audits, the xFusionCorp Industries security team has rolled out new protocols, including the restriction of direct root SSH login.

Your task is to disable direct SSH root login on all app servers within the Stratos Datacenter.

Lab Solutions

🧭 Part 1: Lab Step-by-Step Guidelines (Automated Method)

πŸ”Ή Step 1: Log in to Jump Host
ssh thor@jump_host.stratos.xfusioncorp.com

Password:

mjolnir123

πŸ”Ή Step 2: Disable Root Login on All App Servers Using One Loop

for entry in \
"tony@stapp01.stratos.xfusioncorp.com" \
"steve@stapp02.stratos.xfusioncorp.com" \
"banner@stapp03.stratos.xfusioncorp.com"
do
  ssh -t $entry "sudo sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config && sudo systemctl restart sshd"
done
Enter fullscreen mode Exit fullscreen mode

You will:

Enter SSH password

Enter sudo password

Repeat for each server automatically

πŸ”Ή Step 3: Verify Configuration on All Servers

for entry in \
"tony@stapp01.stratos.xfusioncorp.com" \
"steve@stapp02.stratos.xfusioncorp.com" \
"banner@stapp03.stratos.xfusioncorp.com"
do
  ssh -t $entry "sudo grep PermitRootLogin /etc/ssh/sshd_config"
done
Enter fullscreen mode Exit fullscreen mode

Expected output (three times):

PermitRootLogin no

βœ… Final Checklist

βœ” Completed on all three app servers
βœ” /etc/ssh/sshd_config modified
βœ” PermitRootLogin no present
βœ” SSH service restarted
βœ” Verified using sudo

🧠 Part 2: Simple Step-by-Step Explanation (Beginner Friendly)

πŸ”Ή What was the goal?

Prevent users from logging in directly as:

root

via SSH.

This is a major security best practice.

πŸ”Ή Why use a loop?

Instead of:

SSH into server 1

Edit file

Restart service

Repeat three times

We use a loop to run the same command on all servers automatically.

πŸ”Ή Why ssh -t?

sudo needs a terminal to prompt for a password.

Without -t, SSH runs in non-interactive mode and sudo fails.

-t forces a pseudo-terminal so sudo works correctly.

πŸ”Ή What does the sed command do?
sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/'

It:

Finds the line containing PermitRootLogin

Whether commented or not

Replaces it with:

PermitRootLogin no

This avoids manual editing with vi.

πŸ”Ή Why restart sshd?

The SSH daemon must reload configuration to apply changes.

Without restart, the new setting will not take effect.

πŸ”Ή Why use sudo in verification?

The file:

/etc/ssh/sshd_config

is readable only by root.

So we must use:

sudo grep

to confirm the setting.

πŸ” Real-World Context

In production environments:

Direct root login is almost always disabled

Administrators log in as normal users

Privileges are escalated using sudo

Changes are usually automated (Ansible, scripts, etc.)

You just performed enterprise-style remote hardening using automation.

Resources & Next Steps
πŸ“¦ Full Code Repository: KodeKloud Learning Labs
πŸ“– More Deep Dives: Whispering Cloud Insights - Read other technical articles
πŸ’¬ Join Discussion: DEV Community - Share your thoughts and questions
πŸ’Ό Let's Connect: LinkedIn - I'd love to connect with you
Credits
β€’ All labs are from: KodeKloud
β€’ I sincerely appreciate your provision of these valuable resources.

Top comments (0)