How to disable root account

Restricting the ways a user can gain root permissions is a good security practice. In this tutorial I will show you how to disable the root account and get root permissions only with ‘sudo’.

Table of Contents

• Create an administrator account
• Disable root account
  • (A) Change root shell
  • (B) Disable root login over SSH
• Notes

Create an administrator account

If you don’t have an account that can get root permissions with “sudo”, you can do it easily:

1. Ensure you have “sudo” command installed.
2. Create an account.

   useradd -m <username>
   # useradd -m ricardo
   

3. Add “username” to “sudo” group (you may need to create that group before with groupadd sudo).

   usermod -aG sudo <username>
   

4. Ensure “sudo” group can get root permissions by running visudo (if you don’t have vi installed, run EDITOR= and your editor name before running visudo):

   # uncomment or create the line below
   %sudo ALL=(ALL) ALL
   

5. Login as the new account and ensure you can get root permissions with “sudo”.

Disable root account

(A) Change root shell

You can change the default shell for root to /usr/bin/nologin, /usr/sbin/nologin or /sbin/nologin by editing /etc/passwd (check nologin path):

# this is an example of the line you need to edit, change only the last part
root:x:0:0::/root:/usr/bin/nologin

(B) Disable root login over SSH

If you only need to disable root login when using SSH, you can edit /etc/ssh/sshd_config and change and uncomment this line:

PermitRootLogin=no

Then, restart sshd service.

Notes

Any user with superuser privileges can run sudo bash to enter into a root shell. After disabling root account, you can’t run su -, sudo su or su root.

If you have any suggestion, feel free to contact me via social media or email.