How To Disable Root Login in Linux

root
is the default administrative user account or superuser in Linux. Disabling the root
user ensures that only specific users can perform administrative tasks, and install specific packages on your system with sudo (super user do) privileges. You must only disable the root
user if you have an existing non-root user with sudo privileges to run all administrative tasks.
This article explains how to disable root login in Linux and allow only sudo users to perform administrative tasks.
Prerequisites
Before you begin, you need to:
- Have access to a Linux instance as a non-root user with sudo privileges.
Disable Root SSH Login
Secure Shell (SSH) allows users to remotely access a Linux workstation using a valid user and password pair or SSH keys. Disabling root
SSH login terminates all root
user connection requests and only accepts non-root user connections. Follow the steps below to disable the root
SSH login on your workstation.
Open the
/etc/ssh/sshd_config
using a text editor such asnano
.console$ sudo nano /etc/ssh/sshd_config
Find the following
PermitRootLogin
directive and change its value fromyes
tono
to disable theroot
user login over SSH.iniPermitRootLogin no
Save and close the file.
Restart the SSH service to apply the configuration changes.
console$ sudo systemctl restart ssh
Disable Access to the Root User Shell
Disabling access to the root
user shell disables direct login to the root
user and the sudo su
command. This allows sudo users to perform administrative tasks on a system without logging in to the root
user shell. Follow the steps below to disable the root
user login using the /etc/passwd
file on your Linux workstation.
Open the
/etc/passwd
file.console$ sudo nano /etc/passwd
Change the
root
user shell from/bin/bash
to/sbin/nologin
.iniroot:x:0:0:root:/root:/sbin/nologin
Save and close the file.
The
/sbin/nologin
disables the defaultroot
user shell, thenologin
setting displays anaccount is not available
message when users attempt to log in as root.Enable the Immutable attribute on the
/etc/passwd
to disable any changes to the file.console$ sudo chattr +i /etc/passwd
Run the following command to verify that the
root
user is disabled. Enter your sudo user password when prompted.console$ sudo su
Output:
This account is currently not available.
Create a Custom MOTD
A Message of the Day (motd
) configuration displays an announcement or custom message when users log in to your Linux workstation. Follow the steps below to create a custom motd to instruct privileged users to use the sudo command when performing administrative tasks instead of attempting to access the root
user shell.
Open the
/etc/motd
file.console$ sudo nano /etc/motd
Add the following message to the file to use as the motd.
textWelcome to the server Note: The root account is disabled. Use sudo to execute commands and perform administrative tasks.
Save and close the file.
Test the Root User Login
Follow the steps below to test and verify that the root
user login is disabled on your Linux workstation.
Use the
sudo su
command to access theroot
user shell.console$ sudo su
Verify that your login fails with the following prompt:
This account is currently not available.
Access your Linux workstation using SSH as the
root
user.console$ ssh root@Server-IP
Verify that the SSH connection fails, even when using the correct credentials similar to the output below.
Permission denied, please try again. ... Received disconnect from Server-IP port 22:2: Too many authentication failures Disconnected from Server-IP port 22
Log in to your Linux instance using
tty1
or a Display Manager (DM) as theroot
user, and verify that the connection fails.
Conclusion
You have disabled the root
user on your Linux workstation. Regular users cannot access the root
user shell or modify the /etc/passwd
file to enable the root
user login. In addition, you disabled the root
user login via SSH, which disallows all connection attempts to your Linux workstation. A message of the day (motd) instructs privileged users to perform administrative tasks using specific methods defined in your message, which improves the system's security and enforces access levels.