Disable the root account on Linux and prevent anyone from impacting the operations of your system negatively. Moreover, the same practice can help assure no one abuses power and authority that root access brings to the table.
A root account can be critical if rested within the wrong hands. That said, acquiring the ability to disable the root account on Linux is crucial. In the following article, I’ll help you learn exactly that.
Pre-Requisites
Before you go ahead and disable the root account on Linux, you must create an administrative account upfront. It will ensure you’re open to using the sudo command and regain root user access.
Create an Administrative Account
Creating an administrative account is pretty straightforward. You need to launch the Terminal using the “Ctrl+Alt+T” key combination and invoking the useradd command. Together with that, use the passwd command and associate a healthy password.
Here is what the commands should look like:
$ useradd -m -c "Admin User" main_admin
$ passwd [desired strong password]
The -m and -c flags respectively work to create the user’s home directory and specify any comment moving forward.
Add User to a Group
Once you’re done with the creation process, the next task is adding the user to a particular group. For that, invoke the usermod command next to the -a and -G flag. While the former reflects on appending user accounts, the latter deals with specifying the desired group
You choose between sudo or wheel depending on the concerned system.
For CentOS/RHEL, use the following command:
$ usermod -aG wheel main_admin
For Debian/Ubuntu, pass the following command:
$ usermod -aG sudo main_admin
Switching the Primary root User
You’re now ready to switch and choose the created administrative account as the primary root user. This will allow you to move to the next step and disable the root account on Linux.
How to Disable the Root Account on Linux
There are several ways of getting the root account disabled on Linux. Stay tuned as I walk you through each method in the most easy-to-understand manner.
Disable Root Account by Altering Root User’s Shell
One of the most widely used methods of disabling the root account on Linux is by bringing alterations in the user shell. The process is simple, change the existing shell(the one which permits login) to any other which doesn’t, and that’s nearly it. For instance, you can change /bin/bash to /sbin/nologin.
The next task is modifying the /etc/passwd file. To do that, launch the file via any command-line editor, vim, for instance.
Run the following command:
Alter the following lines
Save the file and continue.
Now, whenever the root user tries to log themself in, they will get an error message stating that “This account is currently not available.” Changing the default message to something you want to display is a straightforward task. The only thing you’ll require is editing /etc/nologin.txt
Remember, the method works only with the programs that perform user logins via shell.
Disabling the root account by altering the root user’s shell is great. But the fact that it loads with some drawbacks makes users like us opt for a different method.
Disable the Root Account on Linux by a Console Device
Employing a console device to disable the root account on Linux is also quite handy. The method utilizes a PAM module, popular as pam_securetty. The module allows root access if and when the concerned user is getting themselves logged in on a secure environment of TTY.
The good thing is that you can specify the TTY devices to allow access to. However, emptying the file entirely will instruct the system to revoke the access.
Creating an Empty File
For creating an empty file, invoke the following command inside the Terminal:
Similar to the previous method discussed, this one also bags some form of limitations. The method is limited to showing the result on programs such as login—more advanced utilities like su, sudo, ssh, and more goes unaffected.
Disabling the SSH Root Login on Linux
If you don’t know, SSH offers one of the best ways to access remoter servers. Thankfully, bringing a few edits will help block all forms of root user login that fall under it. The concerned file is /etc/ssh/sshd_config
Launch the file with a command-line editor. If you’re using vim, run the following command:
Head over to the PermitRootLogin section and set the value to no.
Save and close the file.
Finally, perform a quick sshd restart to ensure the changes get successfully applied.
Blocking Root Access via PAM
The final method to disable the root account on Linux is using a modular called PAM. Pluggable Authentication Modules offers a brilliant way to toggle between authentication structuring on Linux through /lib/security/pam_listfile.so
For disabling root access, start by launching the target service located inside /etc/pam.d/directory and editing the same. Again, you can use any of your favorite editors but make sure to specify if you’re after restricting access to the sshd services or simply login.
For instance, the $ sudo [editor command] /etc/pam.d/ sshd is meant or blocking access to sshd services while $ sudo [editor command] /etc/pam.d/ login works for the login access.
Add the required configuration:
Save and close the file.
After that, create a plain file .etc.ssh/denier/user/ and include the item, and name it root. Keep in mind the file should only contain one item per line.
Set the required permissions using the chmod command and continue.
That wraps this article. Here, I’ve guided you through four promising methods to disable the root account on Linux. I made sure everything was easy to digest, and you didn’t have a hard time getting the job done.
If this guide helped you, please share it.
