You must create local administrative accounts that can be used as Secure Shell (SSH) and that are members of the secondary wheel group, or both before you remove the root SSH access.
Before you deactivate direct root access, test that authorized administrators can access SSH by using AllowGroups, and that they can use the wheel group and the su command to log in as root.
Procedure
What to do next
Deactivate direct logins as root. By default, the hardened appliances allow direct login to root through the console. After you create administrative accounts for nonrepudiation and test them for wheel access (su - root), deactivate direct root logins by editing the /etc/securetty file as root and replacing the tty1
entry with console
.