You must create local administrative accounts that can be used as Secure Shell (SSH) and that are members of the secondary wheel group, or both before you remove the root SSH access.
Before you disable direct root access, test that authorized administrators can access SSH by using AllowGroups, and that they can use the wheel group and the su command to log in as root.
- Log in as root and run the following commands.
# useradd -d /home/vropsuser -g users -G wheel –m # passwd username
Wheel is the group specified in AllowGroups for SSH access. To add multiple secondary groups, use
- Switch to the user and provide a new password to ensure password complexity checking.
# su – username username@hostname:~>passwd
If the password complexity is met, the password updates. If the password complexity is not met, the password reverts to the original password, and you must rerun the password command.
After you create the login accounts to allow SSH remote access and use the su command to log in as root using the wheel access, you can remove the root account from the SSH direct login.
- To remove direct login to SSH, modify the /etc/ssh/sshd_config file by replacing
What to do next
Disable direct logins as root. By default, the hardened appliances allow direct login to root through the console. After you create administrative accounts for nonrepudiation and test them for wheel access (su-root), disable direct root logins by editing the /etc/securetty file as root and replacing the
tty1 entry with