Hetzner - DokuWiki

SSHd Howto/en


Setting up SSH correctly

Create a user

One of the first things to do with a dedicated server is to disallow the user root login through SSH.

Before doing this however, it is necessary to create an own user in the system, otherwise you won't be able to log in as root nor have any other user to log in as. Create a user with the following command:

useradd -g users -d /home/foobar -s /bin/bash foobar

Here a user by the name of foobar is set up in the user group with bash default shell. The user home directory is in /home/foobar (this directory has to be manually created!) However, the user still does not have a password. The password can be changed with the "passwd" command. As root, the password can also be changed for other users:

passwd foobar

It is important to make sure that the password is at least 8 characters long and comprises upper and lower case letters, figures and special characters.

Now that the user has been created and provided with a (secure) password, it is time to test to see if it is possible to log in. (Anyone who has worked with root should be able to do this.)

root Login block

Once you have been able to log in with the newly created user, root log in can be disallowed.
For this, open the file


with editor and change the line

PermitRootLogin yes


PermitRootLogin no

Now, you only need to reload the SSH Daemon Config:

/etc/init.d/ssh reload

SuSe (10.0) (Thanks to Frank Hoffmann):

/etc/init.d/sshd reload

Afterwards, it should no longer be possible to log in with root.
From now on, simply log in with the created user and log in via the switch user command as root:

su -

Then type in the root password, and finished. :)

Deltaflyer 04:11, 27. Feb 2006 (CET)

Suggestions to: deltaflyer_AT_ki-ba_DOT_net

allow only certain users

Activating certain users explicitly for SSH can help curb a lot of SSH scans. You can add the line:

AllowUsers username1 username2 username3

This simply narrows down the circle of SSH authorized users. The changes become operative with a

/etc/init.d/sshd restart

The same is possible with groups by using AllowGroups in the same way. The best thing to do is to log in to another session at the same time and test to see if everything is working as it should, otherwise it is all too easy to lock yourself out again with a typo in the user name in the configuration file. Then the server will need to be rebooted into the Rescue System to correct the mistake.

--Flo 15:40, 4. Jul 2006 (CEST)

© 2020. Hetzner Online GmbH. Alle Rechte vorbehalten.