How to disable root Login in Linux

Linux TutorialBy: Nisal N / 30 June, 2021

When we talk about the root account in Linux, it is the administrator account of the Linux operating system. It implies that it has overall control over all the commands and files on the system along with their permissions. The permissions are inclusive of reading, writing, deleting or creating. In this tutorial, we will go through the steps on how to disable root login to the Linux server.

We will go through several methods through which you can disable root access to your Linux system.

Hamper the SSH root login
Alter the root user’s shell
Disable the root login through usermod command
Disable the root login through passwd command

Let's get started.

Hamper the SSH root login

In Linux, you have the option to disable access of the route user through SSH servers. All you have to do is edit some parameters in the mentioned file:

etc/ssh/sshd_config

You can disable root login from this file. Once you have edited the configuration file, you will no longer be able to access the Linux server by using the root user credentials. To disable the root user login via SSH, you need to do a simple alteration in the file by adding a no to the content of the file.

To access the file and make edits, use the following command:

sudo nano /etc/ssh/sshd_config

Now add the text no in the relevant place. For better understanding, we made a screenshot of the place where you should make the change to disable root user login for SSH.

The white line highlighted here is the statement where you have to add no.

The next segment shows how to alter the login shell to disable the route account.

Alter the root user’s shell

In this method, you can alter the default root shell by setting nologin in place of bash. By doing this, whenever someone else tries to log in to the root account, the account automatically exits the shell. With this method, it does not matter if the person enters the correct password.

There are two methods on how to accomplish this task:

Manually edit the /etc/passwd file
To set the default shell you have to use the usermod command

To manually edit the file, use the below-given command:

sudo nano /etc/passwd

Here is the display:

Switch /bin/bash to /usr/sbin/nologin.

Next, you have to use the usermod command to disable the root login. You have to use the usermod command along with the -s option as seen below:

sudo usermod -s /usr/sbin/nologin root

Take a look at the snapshot:

Now, if you are the root user and you try to log into your account, you will receive the message as shown below:

Hopping on to the next segment we have another method. We will now understand how to disable the root account via usermod command.

How to disable the root login by usermod command?

You can use the usermod command with the -L option as shown below to lock the root account:

sudo usermod -L root

Yes, one simple command can be used to lock the root account.

Disable the root access via PAM

PAM is a short form for Pluggable Authentication Modules. It is an extremely flexible way of authenticating Linux. Via the /lib/security/pam_listfile.so module, you can limit the privileges of the account that you want. The first step is to open the file and edit it for the target service in the /etc/pam.d/ directory. We will be using the nano command for your reference.

sudo nano /etc/pam.d/login

sudo nano /etc/pam.d/sshd

Now, add this configuration in these files as shown below:

auth    required       pam_listfile.so \
        onerr=succeed  item=user  sense=deny  file=/etc/ssh/deniedusers

Once the content is added to the file, Save and exit the nano text editor.

The next step is to create a file /etc/ssh/deniedusers. Now, add the name root and save this file.

sudo nano /etc/ssh/deniedusers

Set the permissions as given below:

sudo chmod 600 /etc/ssh/deniedusers

Note that this method is only available for the services that are PAM aware.

Conclusion

As you know, the root account has primary authority, and therefore, it holds great significance. So, if any instance occurs that calls to disable the root account, you can easily do that. This article provided you with various ways how to disable root login in Linux. We expect these particulars to help you to perform your task in the smoothest way possible. You can buy linux vps to practice it on a routine basis.

People also read:

Nisal N

Computers has always fascinated me since I was a kid and here we are. I love travelling for 2 reasons: the first one to see a new part of the world and second (the most important one) to experience the rich culture hidden among the country and people. I'm pretty good at cooking but very poor when it comes to baking.

How useful was this article for you?

(Rated 0 from 0 votes)