How to Enable SSH Root Login on Ubuntu Linux

Overview

By default, Ubuntu disables direct SSH login as root for security reasons. In most cases you should log in as a normal user and use sudo, but if you must enable root SSH access, follow the steps below carefully.

1. Security Warning

Enabling root SSH login increases risk:

• Attackers commonly brute-force the root account on any open SSH port.
• If they succeed, they gain full control of the server.

To reduce risk, you should:

• Use a very strong, unique root password if you enable password login.
• Prefer SSH key authentication and disable root password login where possible.
• Restrict SSH to trusted IPs via firewall (e.g. ufw) or cloud firewall/security groups.

2. Prerequisites

Before you start, ensure:

• You can log in via SSH as a non-root sudo user (e.g. ubuntu or another admin user).
• You have shell access to edit /etc/ssh/sshd_config and restart the SSH service.

If anything goes wrong, you can still log in with your normal sudo user and revert the changes.

3. Set or Enable the Root Password

On Ubuntu, the root account exists but usually has no password set. You need to assign one before logging in directly as root.

1. SSH to the server as your sudo user:
   ssh ubuntu@your-server-ip
2. Set a password for root:
   sudo passwd root
   Enter a strong password when prompted, then confirm it.

This activates the root account with the password you chose.

4. Edit the SSH Configuration

The SSH server configuration is stored in /etc/ssh/sshd_config.

1. Open the file with your preferred editor:
   sudo nano /etc/ssh/sshd_config
2. Find the PermitRootLogin line. It is often commented out and set to prohibit-password by default:
   #PermitRootLogin prohibit-password

5. Option A – Root Login with Password (Not Recommended)

Use this only if you absolutely need password access and cannot use SSH keys.

1. Change the line to:
   PermitRootLogin yes
2. Ensure password authentication is allowed. Confirm or uncomment:
   PasswordAuthentication yes
3. Save and close the file.

Security note: This is the least secure option because bots will actively try to guess the root password.

6. Option B – Root Login with SSH Key Only (Recommended)

This option allows root login only when using an authorized SSH key, blocking password attempts for root.

1. In /etc/ssh/sshd_config, set:
   PermitRootLogin prohibit-password
2. Ensure key authentication is enabled:
   PubkeyAuthentication yes
3. Copy your public SSH key to root's account:
   sudo mkdir -p /root/.ssh
sudo chmod 700 /root/.ssh
sudo nano /root/.ssh/authorized_keys
   Paste your public key, save and exit.
4. Set correct permissions:
   sudo chmod 600 /root/.ssh/authorized_keys

Root can now log in only with that SSH key, not with a password.

7. Restart the SSH Service

After updating the configuration, restart SSH to apply the changes:

sudo systemctl restart ssh

If the command returns without error, the SSH daemon has reloaded with the new settings.

8. Test Root SSH Login

Always test in a new SSH session before closing your existing one, so you do not lock yourself out.

• If you enabled password login:
  ssh root@your-server-ip
• If you enabled key-only login:
  ssh -i /path/to/your/private/key root@your-server-ip

Once confirmed root access works, you can safely close your original session.

9. Hardening Recommendations

Because root SSH login is inherently risky, consider these additional hardening steps:

• Restrict SSH to specific IP addresses via firewall rules or AllowUsers / AllowGroups in sshd_config.
• Change the default SSH port from 22 to a non-standard port (e.g. Port 2222) in /etc/ssh/sshd_config.
• Install and configure fail2ban to block repeated failed login attempts.
• Revert to a sudo-based workflow and disable root SSH login once initial maintenance is complete.