How to Disable Root Login Over SSH on Arch Linux

Securing your Linux system is a fundamental task, especially when it comes to remote access. One of the first and most important steps you can take is disabling root login over SSH. Allowing direct root access over SSH introduces a major security risk. If someone gets hold of the root credentials—or brute-forces them—they can gain complete control over your system.

This article provides a comprehensive guide on how to disable root login over SSH on Arch Linux, explains why you should do it, and offers alternatives to maintain system accessibility while improving security.

Why Disable Root Login Over SSH?

Before jumping into the how-to, it’s essential to understand why disabling root SSH login is a best practice:

1. Minimizes Attack Surface

The root account is always present on Unix-like systems and is often targeted by automated brute-force attacks. Disabling SSH access to it ensures attackers can’t directly log in as the superuser.

2. Encourages Principle of Least Privilege

By using a normal user account and escalating privileges only when necessary (e.g., with sudo), you reduce the chances of accidental system-wide damage and tighten control over privileged operations.

3. Improves Auditability

When each user logs in using their own account, it’s easier to track who performed which actions. If everyone logs in as root, the system logs are less informative.

Prerequisites

Before disabling root login over SSH, ensure the following:

• You have a non-root user with sudo privileges already set up.
• You can connect via SSH using that user account.
• You have physical or alternative access to your machine (in case of misconfiguration).

Let’s walk through these steps.

Step 1: Create a Non-Root User (If You Haven’t Already)

If you’re only using the root account, it’s crucial to create a new user with sudo privileges first. You can skip this step if you already have a user like johndoe or admin.

# Create a new user
useradd -m -G wheel -s /bin/bash newuser

# Set a password
passwd newuser

The -G wheel option adds the user to the wheel group, which is used for administrative privileges via sudo.

Now, edit the sudoers file:

EDITOR=nano visudo

Ensure the following line is uncommented:

%wheel ALL=(ALL:ALL) ALL

This allows all users in the wheel group to run any command as any user using sudo.

Step 2: Confirm SSH Access with the New User

Before disabling root login, verify that your new user can successfully log in via SSH.

From your client machine:

ssh newuser@your-server-ip

Once logged in, confirm you can use sudo:

sudo ls /root

If that works, you’re ready to proceed.

Step 3: Disable Root Login in the SSH Configuration

The SSH server on Arch Linux is managed by the sshd service. Its configuration is stored in:

/etc/ssh/sshd_config

Edit the Configuration File

Open the file using a text editor:

sudo nano /etc/ssh/sshd_config

Look for the following directive:

#PermitRootLogin yes

Uncomment it (if commented) and change the value to no:

PermitRootLogin no

Alternatively, you can set it to:

PermitRootLogin prohibit-password

This will allow key-based root login but disallow password authentication. However, for maximum security, we recommend disabling it entirely with no.

Optional: Disable Password Authentication Entirely (For Extra Security)

If you’re using SSH keys for authentication, you can also disable password authentication completely:

PasswordAuthentication no

Note: Don’t do this unless you’re 100% sure your SSH keys are properly configured, or you could lock yourself out.

Save and Exit

After editing, save and exit the file (Ctrl+O, Enter, Ctrl+X in nano).

Step 4: Restart the SSH Daemon

To apply the new configuration, restart the SSH service:

sudo systemctl restart sshd

Optionally, check its status to ensure it restarted correctly:

sudo systemctl status sshd

Look for a green active (running) status and no errors in the logs.

Step 5: Test the New SSH Configuration

Now it’s time to test the changes.

1. Open a New Terminal Window (Keep the Current One Open!)

Open a new terminal or tab and try to SSH as root:

ssh root@your-server-ip

You should see a message like:

Permission denied, please try again.

This means root login has been successfully disabled.

2. Verify Non-Root Login Still Works

Also, check that your regular user can still log in:

ssh newuser@your-server-ip

If this works, your setup is good to go.

Step 6: Secure Your System Further (Optional Enhancements)

Disabling root login is a great start. Here are additional steps you can take to harden SSH access:

Use SSH Key Authentication

Set up SSH keys and disable password authentication:

PasswordAuthentication no

Change Default SSH Port

Edit /etc/ssh/sshd_config:

Port 2222

Make sure to update your firewall accordingly.

Use a Firewall

Install and configure ufw or iptables to only allow trusted IP addresses:

sudo pacman -S ufw
sudo ufw enable
sudo ufw allow 2222/tcp

Install Fail2Ban

Fail2Ban monitors logs and blocks repeated failed login attempts:

sudo pacman -S fail2ban
sudo systemctl enable --now fail2ban

Create a jail file for SSH in /etc/fail2ban/jail.local to define banning rules.

What If You Lock Yourself Out?

If you accidentally misconfigure the SSH service and lose access, here are recovery options:

• Console Access: Use a physical terminal or a virtual console (Ctrl + Alt + F2-F6).
• Arch Live USB: Boot with the Arch ISO, mount your system, and chroot into it to fix /etc/ssh/sshd_config.
• Out-of-Band Access: If hosted on a VPS or cloud platform, use its console or emergency recovery mode.

Conclusion

Disabling root login over SSH is a simple yet powerful step to increase the security of your Arch Linux system. By forcing users to log in with their own accounts and escalate privileges using sudo, you implement the principle of least privilege, enhance auditing, and reduce the attack surface.

Here’s a quick recap of the steps:

1. Create a sudo-enabled user.
2. Test SSH access with that user.
3. Edit /etc/ssh/sshd_config to set PermitRootLogin no.
4. Restart the sshd service.
5. Test and verify your configuration.

Combined with other hardening techniques like SSH key authentication, port changes, and firewall rules, this measure forms a solid foundation for a secure remote access environment.

Whether you’re managing a single server or a fleet of Arch Linux instances, security should never be an afterthought. And disabling root login over SSH is one of the best places to start.