How To Disable Root Login in Linux
root is the default administrative user account or superuser in Linux. Disabling the root user ensures that only specific users can perform administrative tasks, and install specific packages on your system with sudo (super user do) privileges. You must only disable the root user if you have an existing non-root user with sudo privileges to run all administrative tasks.
This article explains how to disable root login in Linux and allow only sudo users to perform administrative tasks.
Prerequisites
Before you begin, you need to:
- Have access to a Linux instance as a non-root user with sudo privileges.
Disable Root SSH Login
Secure Shell (SSH) allows users to remotely access a Linux workstation using a valid user and password pair or SSH keys. Disabling root SSH login terminates all root user connection requests and only accepts non-root user connections. Follow the steps below to disable the root SSH login on your workstation.
Open the
/etc/ssh/sshd_configusing a text editor such asnano.console$ sudo nano /etc/ssh/sshd_config
Find the following
PermitRootLogindirective and change its value fromyestonoto disable therootuser login over SSH.iniPermitRootLogin noSave and close the file.
Restart the SSH service to apply the configuration changes.
console$ sudo systemctl restart ssh
Disable Access to the Root User Shell
Disabling access to the root user shell disables direct login to the root user and the sudo su command. This allows sudo users to perform administrative tasks on a system without logging in to the root user shell. Follow the steps below to disable the root user login using the /etc/passwd file on your Linux workstation.
Open the
/etc/passwdfile.console$ sudo nano /etc/passwd
Change the
rootuser shell from/bin/bashto/sbin/nologin.iniroot:x:0:0:root:/root:/sbin/nologin
Save and close the file.
The
/sbin/nologindisables the defaultrootuser shell, thenologinsetting displays anaccount is not availablemessage when users attempt to log in as root.Enable the Immutable attribute on the
/etc/passwdto disable any changes to the file.console$ sudo chattr +i /etc/passwd
Run the following command to verify that the
rootuser is disabled. Enter your sudo user password when prompted.console$ sudo su
Output:
This account is currently not available.
Create a Custom MOTD
A Message of the Day (motd) configuration displays an announcement or custom message when users log in to your Linux workstation. Follow the steps below to create a custom motd to instruct privileged users to use the sudo command when performing administrative tasks instead of attempting to access the root user shell.
Open the
/etc/motdfile.console$ sudo nano /etc/motd
Add the following message to the file to use as the motd.
textWelcome to the server Note: The root account is disabled. Use sudo to execute commands and perform administrative tasks.
Save and close the file.
Test the Root User Login
Follow the steps below to test and verify that the root user login is disabled on your Linux workstation.
Use the
sudo sucommand to access therootuser shell.console$ sudo su
Verify that your login fails with the following prompt:
This account is currently not available.Access your Linux workstation using SSH as the
rootuser.console$ ssh root@Server-IP
Verify that the SSH connection fails, even when using the correct credentials similar to the output below.
Permission denied, please try again. ... Received disconnect from Server-IP port 22:2: Too many authentication failures Disconnected from Server-IP port 22Log in to your Linux instance using
tty1or a Display Manager (DM) as therootuser, and verify that the connection fails.
Conclusion
You have disabled the root user on your Linux workstation. Regular users cannot access the root user shell or modify the /etc/passwd file to enable the root user login. In addition, you disabled the root user login via SSH, which disallows all connection attempts to your Linux workstation. A message of the day (motd) instructs privileged users to perform administrative tasks using specific methods defined in your message, which improves the system's security and enforces access levels.