The root user has access to anything and everything that is available within the Linux system. We can disable root login in Linux, though the security benefits of the same are debatable. There are multiple ways to disable root and we’ll go over all the methods in this tutorial.
How to Enable Root Login in Linux
By default, Ubuntu disallows root login via the GUI login. Though not recommended, you can enable the root login in Ubuntu by using the passwd command to set a new password for the account. The same command is applicable for almost any Linux distribution.
sudo passwd root
Now you can enter a new password and then proceed to use the -u command option for the passwd command to unlock the root user.
sudo passwd -u root
Now you can login to the root account via the su command below and use the whoami command to verify the user.
su root whoami
Disable Root Login in Linux
Most of the methods that we’re listing here are pretty much accessible for every Linux distribution. Let’s go over all the available methods one by one.
1. Disable Root Login in Linux with passwd Command
To disable the root login, you can use the passwd command as below:
sudo passwd -l root
This will lock the password for the root user and you won’t be able to access the root account with its password until a new one is set.
2. Disable Root Login Using the usermod Command
Similar to the passwd command above, we can use the usermod command to lock the account using the -L command option.
sudo usermod -L root
The result is the same as with the passwd command.
3. Changing the Login Shell to /usr/sbin/nologin
In this case, what we’re going to do is to change the default root shell to nologin instead of bash. So whenever someone logs in to the root account even with the correct password, the account will automatically exit the shell.
Two ways to set nologin shell:
- Edit the /etc/passwd file manually
- Use the usermod command to set the default shell
We recommend using the usermod command as it is cleaner than manually editing the file, but we’ll still demonstrate both the methods here.
Editing the /etc/passwd file manually:
sudo nano /etc/passwd
Now you can change the part which says “/bin/bash” adjacent to the root user, to “/usr/sbin/nologin”.
Use the usermod command to set the default shell:
Now let’s come to the cleaner way to disable root login. This will be done by using the usermod command along with the -s option to set the default shell.
sudo usermod -s /usr/sbin/nologin root
Once you do this, the default shell will be set and you can verify the same by doing a cat /etc/passwd.
Great! Now you know that the root user cannot log in to any terminal. If you do try to login after this, you’ll get the below message.
4. Disable Root Login in Linux for SSH
What if you do not want to disable the root login for the entire operating system but only want to disable access via SSH servers? Well, you can do that by simply editing the /etc/ssh/sshd_config file and disable root login from there.
By default, it’s set to prohibit-password which means you cannot log in to the account with a password and can only make use of the Keys. We can edit this to say no to completely disallow root access for SSH users.
Edit the SSH config file by using the command below:
sudo nano /etc/ssh/sshd_config
And find the line that says PermitRootLogin. Now you can uncomment the same line and edit it, or add another line with your desired option. In my case, I’ve simply written the same thing on a new line.
Well, that’s about it. These are just some of the quick and easy methods to disable root login in Linux that you can work with. For the most part, the first two methods will serve all your purposes. But if you need help with a specific situation, comment below and we can help you out with it better.