If you want to ban direct SSH root login on Debian, you need at least one additional user who can log on to the server, in addition to the root user. Use this user to change to the root account.

ATTENTION: If you have not created another user, you lock yourself out of the system!

PermitRootLogin no

Edit the / etc / ssh / sshd_config file and set

PermitRootLogin yes


PermitRootLogin no

Then, restart the SSH service

/etc/init.d/ssh restart (alternative: service ssh restart)

Now, user root is no longer allowed to log on directly to the system. You log on as normal to a user and then change with


in the root account.


The AllowGroups parameter also allows you to restrict which users are permitted to log in via SSH.

Excerpt from man sshd_configthis:


This keyword can be followed by a list of group namesPatterns, separated by spaces. If specified, login is allowed only for users whose primary group or supplementary grouplist matches one of the patterns. Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups. The allow / deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.

To create a group named sshusers and add a user to this group, run the following commands as root user:

addgroup --system sshusers
adduser xyz sshusers

Then configure the following options in / etc / ssh / sshd_config:

LoginGraceTime 30
AllowGroups sshusers
PermitRootLogin no
StrictModes yes

Then, restart the SSH service

/etc/init.d/ssh restart

Further protection of the SSH server

For more information about securing an SSH server, see the following articles:

Categories: Tutorials


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: