You must create local administrative accounts that can be used as Secure Shell (SSH) and that are members of the secondary wheel group, or both before you remove the root SSH access.

Before you disable direct root access, test that authorized administrators can access SSH by using AllowGroups, and that they can use the wheel group and the su command to log in as root.


  1. Log in as root and run the following commands.
    # useradd username -d /home/vropsuser -g users -G wheel -m 
    # passwd username

    Wheel is the group specified in AllowGroups for SSH access. To add multiple secondary groups, use -G wheel,sshd.

  2. Switch to the user and provide a new password to ensure password complexity checking.
    # su – username
    If the password complexity is met, the password updates. If the password complexity is not met, the password reverts to the original password, and you must rerun the password command.

    After you create the login accounts to allow SSH remote access and use the su command to log in as root using the wheel access, you can remove the root account from the SSH direct login.

  3. To remove direct login to SSH, modify the /etc/ssh/sshd_config file by replacing (#)PermitRootLogin yes with PermitRootLogin no.

What to do next

Disable direct logins as root. By default, the hardened appliances allow direct login to root through the console. After you create administrative accounts for nonrepudiation and test them for wheel access (su - root), disable direct root logins by editing the /etc/securetty file as root and replacing the tty1 entry with console.