50

I'm using the default installation of openssh-server for my Ubuntu 14.04 server. I can connect through the console as root like normal, with my username and password. When I try to SSH with the same username/password, however, I repeatedly get Access Denied errors. /var/log/auth.log reports Failed password for root from <ip address> port <port> ssh2, but I'm entering the correct password.

Why can't I connect to the server via SSH, even though the username and password ARE correct?

vaindil
  • 928
  • 3
  • 9
  • 21

3 Answers3

104

The default setting in Debian (and hence Ubuntu) for OpenSSH Server is to deny password-based login for root and allow only key-based login. Change this line in /etc/ssh/sshd_config:

PermitRootLogin without-password

to 

PermitRootLogin yes

And restart the SSH server:

sudo service ssh restart
muru
  • 197,895
  • 55
  • 485
  • 740
  • Aha, that did it! Thank you, I greatly appreciate it! – vaindil Aug 15 '14 at 16:35
  • 2
    @Vaindil But really, as gregory.0xf0 says, if you must log in remotely as root, it's much better to use key-based instead of password-based authentication. – Eliah Kagan Aug 16 '14 at 02:16
  • @Vaindil I second EliahKagan and gregory.0xf0 that key-based authentication is superior to password based. Switch to it if you can. – muru Aug 16 '14 at 03:39
  • It is, by the way, bad practice to allow root login anyways via SSH or via the GUI, you should only ever need root login in cases where sudo is disabled. – Thomas Ward Aug 16 '14 at 21:27
  • 1
    If it still not working, please try setting password for the root. For me that helps: sudo passwd root – kkochanski Jul 01 '17 at 20:37
  • Yes, I completely agree with the posts above: it would be better to login in to a user account once with password to do a ssh-copy-id to set up keys. Then use ssh to the user account followed by sudo. If you really want to login as root, you should set up keys. – Martin W Apr 10 '18 at 19:08
  • You might need to uncomment the line, by removing the #, if needed. – Bebs Aug 31 '20 at 08:20
  • This is decidedly weird: one of my other top answers is essentially this, posted a month before this one: https://askubuntu.com/a/497898/158442 I guess they were so similar, I never remembered I had two different posts for the same thing. – muru Aug 31 '20 at 08:36
  • Why oh why do they logs not show this at all? Neither SSHD log nor auth.log mention that, the falsely claim that the password is not correct. This is super important, logs need to show a reason for a failure CLEARLY and unambiguously. – Markus Bawidamann Oct 21 '20 at 02:09
7

To me, works changing (Ubuntu 18.04):

  • sudo nano /etc/ssh/sshd_config
  • PermitRootLogin prohibit-password to PermitRootLogin yes
  • PasswordAuthentication no to PasswordAuthentication yes

then, restart ssh service:

  • sudo service ssh restart

Thanks!

Rildomar Lucena
  • 71
  • 1
  • 1
  • you can add to your answer: some default installations require changing root password for ssh as root directly, as is the case of Kali Rpi. – charles Jul 30 '20 at 22:18
2

Hackers will bang away with root user trying to brute force their way in. If you are going to allow root logins, you should definitely install Fail2Ban, or something similar to protect against brute force attacks. Also use a very hard to guess password without the use of common words.

And, as Vaindil pointed out, a key based login would be far superior. They are not very hard to setup. Here's a link to setup key-based login using PuTTY on windows: https://devops.profitbricks.com/tutorials/use-ssh-keys-with-putty-on-windows/ . But there are lots of others if you are using a different environment to login from.

mikekehrli
  • 121