How to Disable the Root Account on Linux

Disable the root account on Linux and prevent anyone from impacting the operations of your system negatively. Moreover, the same practice can help assure no one abuses power and authority that root access brings to the table.

A root account can be critical if rested within the wrong hands. That said, acquiring the ability to disable the root account on Linux is crucial. In the following article, I’ll help you learn exactly that.

Pre-Requisites

Before you go ahead and disable the root account on Linux, you must create an administrative account upfront. It will ensure you’re open to using the sudo command and regain root user access.

Create an Administrative Account

Creating an administrative account is pretty straightforward. You need to launch the Terminal using the “Ctrl+Alt+T” key combination and invoking the useradd command. Together with that, use the passwd command and associate a healthy password.

Here is what the commands should look like:

$ useradd -m -c "Admin User" main_admin
create administrative account
$ passwd [desired strong password]

The -m and -c flags respectively work to create the user’s home directory and specify any comment moving forward.

Add User to a Group

Once you’re done with the creation process, the next task is adding the user to a particular group. For that, invoke the usermod command next to the -a and -G flag. While the former reflects on appending user accounts, the latter deals with specifying the desired group

You choose between sudo or wheel depending on the concerned system.

For CentOS/RHEL, use the following command:

$ usermod -aG wheel main_admin

For Debian/Ubuntu, pass the following command:

$ usermod -aG sudo main_admin

Switching the Primary root User

You’re now ready to switch and choose the created administrative account as the primary root user. This will allow you to move to the next step and disable the root account on Linux.

How to Disable the Root Account on Linux

There are several ways of getting the root account disabled on Linux. Stay tuned as I walk you through each method in the most easy-to-understand manner.

Disable Root Account by Altering Root User’s Shell

One of the most widely used methods of disabling the root account on Linux is by bringing alterations in the user shell. The process is simple, change the existing shell(the one which permits login) to any other which doesn’t, and that’s nearly it. For instance, you can change /bin/bash to /sbin/nologin.

The next task is modifying the /etc/passwd file. To do that, launch the file via any command-line editor, vim, for instance.

Run the following command:

Disable the Root Account on Linux by Altering Root User's Shell

Alter the following lines

add the lines

Save the file and continue.

Now, whenever the root user tries to log themself in, they will get an error message stating that “This account is currently not available.” Changing the default message to something you want to display is a straightforward task. The only thing you’ll require is editing /etc/nologin.txt

Remember, the method works only with the programs that perform user logins via shell.

Disabling the root account by altering the root user’s shell is great. But the fact that it loads with some drawbacks makes users like us opt for a different method.

Disable the Root Account on Linux by a Console Device

Employing a console device to disable the root account on Linux is also quite handy. The method utilizes a PAM module, popular as pam_securetty. The module allows root access if and when the concerned user is getting themselves logged in on a secure environment of TTY.

The good thing is that you can specify the TTY devices to allow access to. However, emptying the file entirely will instruct the system to revoke the access.

Creating an Empty File

For creating an empty file, invoke the following command inside the Terminal:

create empty file

Similar to the previous method discussed, this one also bags some form of limitations. The method is limited to showing the result on programs such as login—more advanced utilities like su, sudo, ssh, and more goes unaffected.

Disabling the SSH Root Login on Linux

If you don’t know, SSH offers one of the best ways to access remoter servers. Thankfully, bringing a few edits will help block all forms of root user login that fall under it. The concerned file is /etc/ssh/sshd_config

Launch the file with a command-line editor. If you’re using vim, run the following command:

Disabling the SSH Root Login on Linux

Head over to the PermitRootLogin section and set the value to no.

Save and close the file.

Finally, perform a quick sshd restart to ensure the changes get successfully applied.

sshd restart

Blocking Root Access via PAM

The final method to disable the root account on Linux is using a modular called PAM. Pluggable Authentication Modules offers a brilliant way to toggle between authentication structuring on Linux through /lib/security/pam_listfile.so

For disabling root access, start by launching the target service located inside /etc/pam.d/directory and editing the same. Again, you can use any of your favorite editors but make sure to specify if you’re after restricting access to the sshd services or simply login.

For instance, the $ sudo [editor command] /etc/pam.d/ sshd is meant or blocking access to sshd services while $ sudo [editor command] /etc/pam.d/ login works for the login access.

Add the required configuration:

Blocking Root Access via PAM

Save and close the file.

After that, create a plain file .etc.ssh/denier/user/ and include the item, and name it root. Keep in mind the file should only contain one item per line.

Set the required permissions using the chmod command and continue.

That wraps this article. Here, I’ve guided you through four promising methods to disable the root account on Linux. I made sure everything was easy to digest, and you didn’t have a hard time getting the job done.

If this guide helped you, please share it.

Leave a Reply
Related Posts