Disable Root Login

Warning: !! PROCEED AT YOUR OWN RISK !!

Proceed At Your Own Risk

This sections cover things that are high risk because there is a possibility they can make your system unusable, or are considered unnecessary by many because the risks outweigh any rewards.

Why disable root login?

If you have sudo configured properly, then the root account will mostly never need to log in directly – either at the terminal or remotely.

Be warned, this can cause issues with some configurations!

If your installation uses sulogin (like Debian) to drop to a root console during boot failures, then locking the root account will prevent sulogin from opening the root shell and you will get this error:

Cannot open access to console, the root account is locked.

See sulogin(8) man page for more details.

Press Enter to continue.

To work around this, you can use the --force option for sulogin. Some distributions already include this, or some other, workaround.

An alternative to locking the root acount is set a long/complicated root password and store it in a secured, non digital format. That way you have it when/if you need it.

Goals

  • locked root account that nobody can use to log in as root

Notes

  • Some distributions disable root login by default (e.g. Ubuntu) so you may not need to do this step. Check with your distribution’s documentation.

Steps - Disable root login

  1. Lock the root account:

     sudo passwd -l root
    

Licenses and Attributions


Speak Your Mind