I am asking here as i do not want to get locked out of my server.
I do not want to allow root login to ssh, however if a user enters a "su" command i want them to be able to become root. So do i include root on the "AllowUsers" part of sshd_config?
2 Answers
AllowUsers in sshd_config only controls who can log in via ssh, not what they can do once they are logged in. su and sudo (et al) will still continue to function as you would expect.
You probably also want to look at the PermitRootLogin directive.
You could also disable root logins with a password, but still allow it with public keys. And for other users who can login with a password, you can limit it to a specific list of users.
# Allow only root, and 2 other users
AllowUsers root user1 user4
# But root cannot use password and must have a key for SSH instead
PermitRootLogin prohibit-password
# Other users can use a password. This is the default:
#PasswordAuthentication yes
