How To Disable Root Login in Linux

root is the default administrative user account or superuser in Linux. Disabling the root user ensures that only specific users can perform administrative tasks, and install specific packages on your system with sudo (super user do) privileges. You must only disable the root user if you have an existing non-root user with sudo privileges to run all administrative tasks.

This article explains how to disable root login in Linux and allow only sudo users to perform administrative tasks.

Prerequisites

Before you begin, you need to:

• Have access to a Linux instance as a non-root user with sudo privileges.

Disable Root SSH Login

Secure Shell (SSH) allows users to remotely access a Linux workstation using a valid user and password pair or SSH keys. Disabling root SSH login terminates all root user connection requests and only accepts non-root user connections. Follow the steps below to disable the root SSH login on your workstation.

1. Open the /etc/ssh/sshd_config using a text editor such as nano.

   console Copy

   $ sudo nano /etc/ssh/sshd_config
   

2. Find the following PermitRootLogin directive and change its value from yes to no to disable the root user login over SSH.

   ini Copy

   PermitRootLogin no
   

   Save and close the file.

3. Restart the SSH service to apply the configuration changes.

   console Copy

   $ sudo systemctl restart ssh
   

Disable Access to the Root User Shell

Disabling access to the root user shell disables direct login to the root user and the sudo su command. This allows sudo users to perform administrative tasks on a system without logging in to the root user shell. Follow the steps below to disable the root user login using the /etc/passwd file on your Linux workstation.

1. Open the /etc/passwd file.

   console Copy

   $ sudo nano /etc/passwd
   

2. Change the root user shell from /bin/bash to /sbin/nologin.

   ini Copy

   root:x:0:0:root:/root:/sbin/nologin
   

   Save and close the file.

   The /sbin/nologin disables the default root user shell, the nologin setting displays an account is not available message when users attempt to log in as root.

3. Enable the Immutable attribute on the /etc/passwd to disable any changes to the file.

   console Copy

   $ sudo chattr +i /etc/passwd
   

4. Run the following command to verify that the root user is disabled. Enter your sudo user password when prompted.

   console Copy

   $ sudo su
   

   Output:

   This account is currently not available.

Create a Custom MOTD

A Message of the Day (motd) configuration displays an announcement or custom message when users log in to your Linux workstation. Follow the steps below to create a custom motd to instruct privileged users to use the sudo command when performing administrative tasks instead of attempting to access the root user shell.

1. Open the /etc/motd file.

   console Copy

   $ sudo nano /etc/motd
   

2. Add the following message to the file to use as the motd.

   text Copy

   Welcome to the server
   Note: The root account is disabled. Use sudo to execute commands and perform administrative tasks.
   

   Save and close the file.

Test the Root User Login

Follow the steps below to test and verify that the root user login is disabled on your Linux workstation.

1. Use the sudo su command to access the root user shell.

   console Copy

   $ sudo su
   

   Verify that your login fails with the following prompt:

   This account is currently not available.

2. Access your Linux workstation using SSH as the root user.

   console Copy

   $ ssh root@Server-IP
   

   Verify that the SSH connection fails, even when using the correct credentials similar to the output below.

   Permission denied, please try again.
   ...
   Received disconnect from Server-IP port 22:2: Too many authentication failures
   Disconnected from Server-IP port 22

3. Log in to your Linux instance using tty1 or a Display Manager (DM) as the root user, and verify that the connection fails.

   

Conclusion

You have disabled the root user on your Linux workstation. Regular users cannot access the root user shell or modify the /etc/passwd file to enable the root user login. In addition, you disabled the root user login via SSH, which disallows all connection attempts to your Linux workstation. A message of the day (motd) instructs privileged users to perform administrative tasks using specific methods defined in your message, which improves the system's security and enforces access levels.