Why I cannot login remote server with its root

ByWeiwei Jia

If you’ve tried ssh root@my-server and got a “Permission denied” error, it’s not a bug—it’s a security feature. This behavior is standard across all modern distributions.

Why Root SSH Login is Disabled

By default, the PermitRootLogin directive in /etc/ssh/sshd_config is set to prohibit-password or no. This prevents direct root access over SSH regardless of whether you’re using keys or passwords.

The reasoning is straightforward: disable the most targeted attack vector. Root accounts are universally known; standard user accounts are not. Attackers scanning for SSH access automatically try root@target, so removing that entry point eliminates a significant portion of brute-force attempts.

The Correct Approach

Login as a standard user first, then escalate:

ssh user@my-server
sudo -i

Or use a single-line approach if you only need to run a specific command:

ssh user@my-server sudo systemctl restart nginx

Verifying Your SSH Configuration

Check your current sshd settings:

grep -E "^PermitRootLogin|^PasswordAuthentication|^PubkeyAuthentication" /etc/ssh/sshd_config

A secure setup looks like:

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes

After modifying /etc/ssh/sshd_config, always validate syntax before restarting:

sudo sshd -t
sudo systemctl restart ssh

If You Absolutely Must Enable Root SSH

Some legacy applications or deployment pipelines may demand root SSH access. If you go this route, mitigate the risk:

  1. Use SSH keys only (disable password auth):

    PermitRootLogin prohibit-password
PasswordAuthentication no
PubkeyAuthentication yes

  2. Restrict root login to specific IPs using a Match block:

    Match User root
AllowUsers root@10.0.0.0/8
PasswordAuthentication no

  3. Change the default SSH port (minor security through obscurity, but combined with other controls it helps):

    Port 2222

  4. Use AllowUsers to explicitly whitelist accounts:

    AllowUsers deploy monitoring root
  5. Enable SSH logging at DEBUG level and monitor actively: 
    journalctl -u ssh -f | grep root

Audit and Accountability

When users log in as themselves and use sudo, your system logs show exactly who performed privileged actions:

sudo journalctl -u sudo -f

Output shows:

user : TTY=pts/0 ; PWD=/home/user ; USER=root ; COMMAND=/usr/bin/systemctl restart nginx

If everyone logs in as root, you lose this accountability entirely. There’s no way to know which team member made which change.

SSH Key Setup (Required for 2026)

Password-based SSH is obsolete. Ensure your users have keys configured:

ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -N ""
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@my-server

Add to ~/.ssh/config for convenience:

Host my-server
    HostName 203.0.113.45
    User deploy
    IdentityFile ~/.ssh/id_ed25519
    Port 22

Then connect without specifying user or port:

ssh my-server

For CI/CD pipelines, use SSH agent forwarding or deploy keys in /root/.ssh/authorized_keys with command restrictions:

command="/usr/bin/deploy.sh",no-port-forwarding,no-x11-forwarding ssh-ed25519 AAAA...

The command= restriction means this key can only execute that single script, even if an attacker compromises it.

Troubleshooting Common Issues

“sudo: no password entry” — The user isn’t in the sudoers file. Add them:

sudo usermod -aG sudo username

“sudo: command not found” — Install sudo or ensure it’s in PATH:

apt install sudo
# or for root directly
/usr/bin/sudo -i

“Permission denied (publickey)” — Verify the public key is on the server:

cat ~/.ssh/authorized_keys

And that permissions are correct:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
Read more:

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *