Interesting request thanks for this!
However I have no idea how to achieve that. Needs investigation if at least OpenSSH has native support for this or if there are top level tools that run on every login, ask for 2nd authentication and until done reliably block any access.
In that light, is it necessary for the root user to be enabled for SSH?
Nope, you can disable SSH root login:
- On Dropbear open /etc/default/dropbear
and set: DROPBEAR_EXTRA_ARGS="-w"
- On OpenSSH open /etc/ssh/sshd_config
and set: PermitRootLogin no
However I am not convinced by the great advantage of this. If one manages to login into your other user account with sudo permissions, (s)he can do exactly the same damage to your system. So there is no real benefit to prevent root login, besides you disable sudo permissions for all other users.
So from my point of view better go with other ways to enhance SSH security:
- Change external SSH port, only within local network forward it to port 22 of your server. This disables any random brute-force attempts from far east, which from my experience always check port 22.
- Use fail2ban to automatically block external IPs, if they fail to login for several times.
- Switch to key authentication and disable user/password login for SSH. Copy/paste from my own docs:
Code: Select all
SSH key authentication:
PuttyGen: key size 4096
-> PublicKey + PrivateKey
On PuTTY client: Connection/SSH/Auth <- <PrivateKey>
On server: mkdir ~/.ssh && echo '<PublicKey>' > ~/.ssh/authorized_keys
OpenSSH: nano /etc/ssh/sshd_config
PasswordAuthentication no # after test!
Dropbear: nano /etc/default/dropbear
DROPBEAR_EXTRA_ARGS="-s -g" # after test!
# Disable password logins: "-s"
# Disable password logins for root: "-g"
# Disable root logins: "-w"
So no one can login via SSH, besides the user(s) you added the public key to ~/.ssh/authorized_keys
and only if one has your private key client side.
You can even enhance security by adding a pass phrase to the key. So one requires the key but on top a password to unlock it.
The above from my point of view adds a real security enhancement, while only disallowing root login has no impact and even not much without sudo permissions. Even without sudo permissions one can destroy your system, remove much of your data. I mean one can destroy everything that you want to be able to touch when login via SSH and that is usually enough