List of content you will read in this article:
- 1. Hamper the SSH root login
- 2. Alter the root user’s shell
- 3. How to disable the root login by usermod command?
- 4. Disable the root access via PAM
- 5. Conclusion
When we talk about the root account in Linux, it is the administrator account of the Linux operating system. It implies that it has overall control over all the commands and files on the system along with their permissions. The permissions are inclusive of reading, writing, deleting or creating. In this tutorial, we will go through the steps on how to disable root login to the Linux server.
We will go through several methods through which you can disable root access to your Linux system.
- Hamper the SSH root login
- Alter the root user’s shell
- Disable the root login through usermod command
- Disable the root login through passwd command
Let's get started.
Hamper the SSH root login
In Linux, you have the option to disable access of the route user through SSH servers. All you have to do is edit some parameters in the mentioned file:
You can disable root login from this file. Once you have edited the configuration file, you will no longer be able to access the Linux server by using the root user credentials. To disable the root user login via SSH, you need to do a simple alteration in the file by adding a no to the content of the file.
To access the file and make edits, use the following command:
sudo nano /etc/ssh/sshd_config
Now add the text no in the relevant place. For better understanding, we made a screenshot of the place where you should make the change to disable root user login for SSH.
The white line highlighted here is the statement where you have to add no.
The next segment shows how to alter the login shell to disable the route account.
Alter the root user’s shell
In this method, you can alter the default root shell by setting nologin in place of bash. By doing this, whenever someone else tries to log in to the root account, the account automatically exits the shell. With this method, it does not matter if the person enters the correct password.
There are two methods on how to accomplish this task:
- Manually edit the /etc/passwd file
- To set the default shell you have to use the usermod command
To manually edit the file, use the below-given command:
sudo nano /etc/passwd
Here is the display:
Switch /bin/bash to /usr/sbin/nologin.
Next, you have to use the usermod command to disable the root login. You have to use the usermod command along with the -s option as seen below:
sudo usermod -s /usr/sbin/nologin root
Take a look at the snapshot:
Now, if you are the root user and you try to log into your account, you will receive the message as shown below:
Hopping on to the next segment we have another method. We will now understand how to disable the root account via usermod command.
How to disable the root login by usermod command?
You can use the usermod command with the -L option as shown below to lock the root account:
sudo usermod -L root
Yes, one simple command can be used to lock the root account.
Disable the root access via PAM
PAM is a short form for Pluggable Authentication Modules. It is an extremely flexible way of authenticating Linux. Via the /lib/security/pam_listfile.so module, you can limit the privileges of the account that you want. The first step is to open the file and edit it for the target service in the /etc/pam.d/ directory. We will be using the nano command for your reference.
sudo nano /etc/pam.d/login
sudo nano /etc/pam.d/sshd
Now, add this configuration in these files as shown below:
auth required pam_listfile.so \
onerr=succeed item=user sense=deny file=/etc/ssh/deniedusers
Once the content is added to the file, Save and exit the nano text editor.
The next step is to create a file /etc/ssh/deniedusers. Now, add the name root and save this file.
sudo nano /etc/ssh/deniedusers
Set the permissions as given below:
sudo chmod 600 /etc/ssh/deniedusers
Note that this method is only available for the services that are PAM aware.
As you know, the root account has primary authority, and therefore, it holds great significance. So, if any instance occurs that calls to disable the root account, you can easily do that. This article provided you with various ways how to disable root login in Linux. We expect these particulars to help you to perform your task in the smoothest way possible.
People also read: