Disable local root login, permit root login over ssh

Solution 1:

Yes.

  1. Create a SSH key for root & add the public half to ~/root/.ssh/authorized_keys.
  2. Edit /etc/ssh/sshd.conf - Set PermitRootLogin to without-password
  3. Restart sshd
  4. TEST IT -- Make sure you can log in as root over SSH using the key.
    • TEST SINGLE USER MODE - Make sure it doesn't ask for root's password (Once you complete step 5 root will no longer be able to log in using a password, so and breaking single-user mode can be a Bad Thing)
  5. Lock out root's login password (replace the password field in /etc/shadow with *, x, etc.)

Notes:

  1. Your machine can still be rooted by anyone who can walk up to the console (because single-user mode won't ask for a password), but your machine will go down when they try it so you'll theoretically know.
    • If you configure single-user mode to require a password the only way to perform recovery work on your system is to use a recovery CD, and you're in the same security boat as above, but now the hacker is annoyed.
  2. Your machine's network profile is now only as secure as root's SSH key, so make sure to set a good passphrase & keep the key in a secure place.
  3. If you lose the SSH key the only way to get back in to the system as root is to reboot in single-user mode (or hack your own box).

An alternate configuration is also possible where a separate sshd that listens for root logins is only avaliable on localhost & you use agent forwarding to log in as root. I know at least one major corporation that has that configuration, and it adds one more layer of security (and complexity).

Solution 2:

Disabling local root login is bad idea. The access may be necessary in system crash situations. According to NSA RHEL 5 security guide, 2.3.1.1 Restrict Root Logins to System Console:

Direct root logins should be allowed only for emergency use. Innormal situations, the administrator should access the system via a unique unprivileged account, and use su or sudo to execute privileged commands. Discouraging administrators from accessing the root account directly ensures an audit trail in organizations with multiple administrators. Locking down the channels through which root canconnect directly reduce sopport unities for password-guessing against the root account.

(...)

Root should also be prohibited from connecting via network protocols.

Disabling root login from local console can be done by removing lines tty1 tty2 tty3 tty4 tty5 tty6 tty7 tty8 tty9 tty10 tty11 from /etc/securetty.