How To Disable Root Login in Linux

Updated on February 14, 2025
How To Disable Root Login in Linux header image

root is the default administrative user account or superuser in Linux. Disabling the root user ensures that only specific users can perform administrative tasks, and install specific packages on your system with sudo (super user do) privileges. You must only disable the root user if you have an existing non-root user with sudo privileges to run all administrative tasks.

This article explains how to disable root login in Linux and allow only sudo users to perform administrative tasks.

Prerequisites

Before you begin, you need to:

Disable Root SSH Login

Secure Shell (SSH) allows users to remotely access a Linux workstation using a valid user and password pair or SSH keys. Disabling root SSH login terminates all root user connection requests and only accepts non-root user connections. Follow the steps below to disable the root SSH login on your workstation.

  1. Open the /etc/ssh/sshd_config using a text editor such as nano.

    console
    $ sudo nano /etc/ssh/sshd_config
    
  2. Find the following PermitRootLogin directive and change its value from yes to no to disable the root user login over SSH.

    ini
    PermitRootLogin no
    

    Save and close the file.

  3. Restart the SSH service to apply the configuration changes.

    console
    $ sudo systemctl restart ssh
    

Disable Access to the Root User Shell

Disabling access to the root user shell disables direct login to the root user and the sudo su command. This allows sudo users to perform administrative tasks on a system without logging in to the root user shell. Follow the steps below to disable the root user login using the /etc/passwd file on your Linux workstation.

  1. Open the /etc/passwd file.

    console
    $ sudo nano /etc/passwd
    
  2. Change the root user shell from /bin/bash to /sbin/nologin.

    ini
    root:x:0:0:root:/root:/sbin/nologin
    

    Save and close the file.

    The /sbin/nologin disables the default root user shell, the nologin setting displays an account is not available message when users attempt to log in as root.

  3. Enable the Immutable attribute on the /etc/passwd to disable any changes to the file.

    console
    $ sudo chattr +i /etc/passwd
    
  4. Run the following command to verify that the root user is disabled. Enter your sudo user password when prompted.

    console
    $ sudo su
    

    Output:

    This account is currently not available.

Create a Custom MOTD

A Message of the Day (motd) configuration displays an announcement or custom message when users log in to your Linux workstation. Follow the steps below to create a custom motd to instruct privileged users to use the sudo command when performing administrative tasks instead of attempting to access the root user shell.

  1. Open the /etc/motd file.

    console
    $ sudo nano /etc/motd
    
  2. Add the following message to the file to use as the motd.

    text
    Welcome to the server
    Note: The root account is disabled. Use sudo to execute commands and perform administrative tasks.
    

    Save and close the file.

Test the Root User Login

Follow the steps below to test and verify that the root user login is disabled on your Linux workstation.

  1. Use the sudo su command to access the root user shell.

    console
    $ sudo su
    

    Verify that your login fails with the following prompt:

    This account is currently not available.
  2. Access your Linux workstation using SSH as the root user.

    console
    $ ssh root@Server-IP
    

    Verify that the SSH connection fails, even when using the correct credentials similar to the output below.

    Permission denied, please try again.
    ...
    Received disconnect from Server-IP port 22:2: Too many authentication failures
    Disconnected from Server-IP port 22
  3. Log in to your Linux instance using tty1 or a Display Manager (DM) as the root user, and verify that the connection fails.

    The root session terminated

Conclusion

You have disabled the root user on your Linux workstation. Regular users cannot access the root user shell or modify the /etc/passwd file to enable the root user login. In addition, you disabled the root user login via SSH, which disallows all connection attempts to your Linux workstation. A message of the day (motd) instructs privileged users to perform administrative tasks using specific methods defined in your message, which improves the system's security and enforces access levels.