Ubuntu cloud images (including AWS EC2 instances) come with a hardened SSH configuration that prevents direct root login by default. This security measure is implemented through multiple layers:
# Main SSH daemon configuration
/etc/ssh/sshd_config contains:
PermitRootLogin no
# Cloud-init customization
/usr/share/cloud/cloud.cfg.d/50-curtin-networking.cfg
/usr/share/cloud/cloud.cfg.d/90_dpkg.cfg
The rejection message you're seeing comes from the PAM (Pluggable Authentication Modules) stack. Specifically, it's handled by:
/etc/pam.d/sshd
/etc/security/access.conf
To allow root login (not recommended for production), edit sshd_config:
sudo nano /etc/ssh/sshd_config
# Change to:
PermitRootLogin yes
# Then restart SSH:
sudo systemctl restart ssh
To modify the message, you have two approaches:
Option 1: Modify PAM configuration
sudo nano /etc/security/access.conf
# Add or modify:
-:root:ALL EXCEPT LOCAL
# Custom message would require PAM script modification
Option 2: Use SSH Banner (simpler approach)
sudo nano /etc/ssh/sshd_config
# Add:
Banner /etc/ssh/custom_banner
# Create the banner file:
sudo nano /etc/ssh/custom_banner
# Content example:
WARNING: Unauthorized access prohibited!
# Set permissions:
sudo chmod 644 /etc/ssh/custom_banner
# Restart SSH
On cloud instances, these configurations might be reset during instance refresh. To make persistent changes:
# Create cloud-init override:
sudo nano /etc/cloud/cloud.cfg.d/99_ssh.cfg
# Content:
ssh_pwauth: false
disable_root: false
# Prevent cloud-init from overwriting:
sudo touch /etc/cloud/cloud-init.disabled
Ubuntu cloud images (including AWS EC2 instances) come pre-configured with security best practices that include disabling direct root login via SSH. This is enforced through a combination of SSH server configuration and PAM (Pluggable Authentication Modules) settings.
The primary configuration files involved are:
/etc/ssh/sshd_config
/etc/pam.d/sshd
/root/.ssh/authorized_keys
The message you're seeing ("Please login as the ubuntu user rather than root user") is actually generated by a custom PAM module or script. In most Ubuntu cloud images, this is implemented through:
/etc/security/access.conf
/usr/share/ssh/ubuntu-ssh-motd
To enable root login (not recommended for security reasons), you would need to:
# Edit the SSH daemon configuration
sudo nano /etc/ssh/sshd_config
# Change or add these lines:
PermitRootLogin yes
# or for key-based authentication only:
PermitRootLogin prohibit-passwordThen restart the SSH service:
sudo systemctl restart sshdThe message is typically controlled by one of these files:
- /etc/issue.net - shown before login
- /etc/motd - shown after login
- A custom PAM script in /etc/pam.d/
For a more technical approach, you can modify the PAM stack:
# Edit the PAM configuration
sudo nano /etc/pam.d/sshd
# Look for lines containing:
auth required pam_access.so
# or
account required pam_access.soThe actual message might be generated by a script in:
/etc/update-motd.d/
To create a custom message for root login attempts, create a new MOTD script:
sudo nano /etc/update-motd.d/99-custom-root-message
#!/bin/sh
[ "$PAM_USER" = "root" ] && echo "Custom message: Root login is restricted on this system"
exit 0Make it executable:
sudo chmod +x /etc/update-motd.d/99-custom-root-messageFor more granular control, you can use Match blocks:
Match User root
ForceCommand echo "Custom security message: Direct root login disabled"
PermitTTY noBefore modifying these settings, consider:
- Using sudo instead of direct root access
- Implementing SSH key authentication
- Setting up jump hosts or bastion servers
- Using SSH certificates instead of keys
For AWS EC2 specifically, you might want to maintain the default Ubuntu user access and configure IAM roles instead of enabling root login.