PermitRootLogin - sshd_config - Multiple versions, No impact

JStokes · November 17, 2025, 2:27pm

Hi all. Fairly new here. Just setting up Ubuntu Server 24.04 on old HP Desktop.

Trying to disable ssh root login.

-Have been editing “/etc/ssh/sshd_config” file. Have tried setting “PermitRootLogin no” and “PermitRootLogin prohibit-password”, but can still log in as root remotely using ssh.

-There is one file in “/etc/ssh/sshd_config.d/50-cloud-init.conf” and have put an # before “PasswordAuthentication yes” to nullify.

-Have changed “Port 2021” in “/etc/ssh/sshd_config” and it has taken effect Confirming that this file is being used/loaded.

-Have noted that there are many versions of “sshd_config”
/usr/share/openssh/sshd_config (this one has #PermitRootLogin and nothing else suspicious)
/etc/ssh/sshd_config (this is the one I edit)
/snap/core22/2139/etc/ssh/sshd_config (this is immutable)
/snap/core22/2139/usr/share/openssh/sshd_config (this is immutable)

I have restarted ssh and rebooted the server numerous times after the changes.

Current status using: systemctl status ssh.service
● ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/usr/lib/systemd/system/ssh.service; disabled; preset: enabled)
Active: active (running) since Mon 2025-11-17 14:18:39 UTC; 17s ago
TriggeredBy: ● ssh.socket
Docs: man:sshd(8)
man:sshd_config(5)
Process: 2146 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
Main PID: 2149 (sshd)
Tasks: 1 (limit: 7003)
Memory: 1.2M (peak: 1.3M)
CPU: 48ms
CGroup: /system.slice/ssh.service
└─2149 “sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups”

I’m a little curious about what “man:sshd_config(5)” means in this status report. Does it mean 5 files were used/loaded?

Anyway, my goal is to disable Root User access via ssh - as is recommended for security purposes. I have created another sudo user, also as recommended, and which works fine.

Any suggestions?

Thanks, Jim.

carlin0 · November 17, 2025, 3:29pm

It would be helpful if you posted
cat /etc/ssh/sshd_config
and
cat /etc/ssh/sshd_config.d/50-cloud-init.conf

JStokes · November 17, 2025, 3:32pm

cat sshd_config

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

Include /etc/ssh/sshd_config.d/*.conf

# When systemd socket activation is used (the default), the socket
# configuration must be re-generated after changing Port, AddressFamily, or
# ListenAddress.
#
# For changes to take effect, run:
#
#   systemctl daemon-reload
#   systemctl restart ssh.socket
#
#Port 22
Port 2021
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin prohibit-password


#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
KbdInteractiveAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin prohibit-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

# override default of no subsystems
Subsystem	sftp	/usr/lib/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server

JStokes · November 17, 2025, 3:34pm

cat 50-cloud-init.conf
#PasswordAuthentication yes

rubi1200 · November 17, 2025, 3:36pm

@JStokes Welcome to Ubuntu Discourse

Please edit your post to wrap terminal/script output with code tags. It makes it much easier to read and analyze for the volunteer helpers.

Highlight the text and then click either </> in the composer or use Ctrl+E on the keyboard.

Thanks

matt-rw · November 17, 2025, 3:45pm

Did you reboot or run systemctl restart ssh? I think the service may need to be nudged to reread the config files.

carlin0 · November 17, 2025, 3:49pm

Edit the file /etc/ssh/sshd_config at line

PermitRootLogin prohibit-password

making it become

PermitRootLogin no

and then run

sudo systemctl restart ssh

ogra · November 17, 2025, 4:04pm

The numbers mark the category of the manpage database, see man man for details on these numbers and what categories they refer to…

JStokes · November 17, 2025, 4:24pm

Logged in as root on the server itself:

Edited “/etc/ssh/sshd_config”

Changed to " PermitRootLogin no"

Ran “sudo systemctl restart ssh”

On other computer, used ssh to log in as root using a password…successfully (which I shouldn’t have been able to do). It’s bizarre.

Thanks for suggesting, Jim.

matt-rw · November 17, 2025, 4:46pm

When you ssh from the other host, using -v with ssh can provide some more info, though I can’t guess what insight it might provide for this problem. I’ve used -v in the past to debug ssh problems.

JStokes · November 17, 2025, 7:39pm

So, I found a solution, but without understanding what was causing the problem.

I did a new and complete installation, overwriting the previous one.

I only did a few things before testing this:

sudo apt update
sudo apt upgrade

tested remote (ssh) login, as root - and it worked, as expected.

added a sudo Group user
tested remote (ssh) login, as user - and it worked, as expected.

Edited: /etc/ssh/sshd_config:
change to: PermitRootLogin no
change to: Port 2201
Edited: /etc/ssh/sshd_config.d/50-cloud-init.conf
change to: #PasswordAuthentication yes

Ran: sudo systemctl restart ssh

tested remote (ssh) login, as root - and I still could, without -p (so the systemctl restart ssh did not work or put the changes I made into effect).

I rebooted the server:

tested remote (ssh) login in as user and had to specify -p 2201 port change, then it worked (so the reboot put my changes into effect).

tested remote (ssh) login as root, specifying port -p 2201. AND I GOT: Permission denied, please try again. (Which is exactly what I was trying to accomplish!!!)

Interestingly, I only found two instances of sshd_config:
/etc/ssh/sshd_config
/usr/share/openssh/sshd_config

So, I have a feeling that the previous install may have created those /snap/ versions when I installed some other software - like Multipass, ufw, unattended upgrades, Apache2. I have no idea whether or not those /snap/ versions were causing the problem. I will likely try most of these installations again, on this trial, and will give an update only if the problem arises again.

Thanks for your help.

Jim.

carlin0 · November 17, 2025, 7:47pm

@JStokes To make the server more secure, disable passwords and use a key