Restricting the ways a user can gain root permissions is a good security practice. In this tutorial I will show you how to disable the root account and get root permissions only with ‘sudo’.

Create an administrator account

If you don’t have an account that can get root permissions with “sudo”, you can do it easily:

  1. Ensure you have “sudo” command installed.
  2. Create an account.
    useradd -m <username>
    # useradd -m ricardo
    
  3. Add “username” to “sudo” group (you may need to create that group before with groupadd sudo).
    usermod -aG sudo <username>
    
  4. Ensure “sudo” group can get root permissions by running visudo (if you don’t have vi installed, run EDITOR= and your editor name before running visudo):
    # uncomment or create the line below
    %sudo ALL=(ALL) ALL
    
  5. Login as the new account and ensure you can get root permissions with “sudo”.

Disable root account

(A) Change root shell

You can change the default shell for root to /usr/bin/nologin or /sbin/nologin by editing /etc/passwd:

# this is an example of the line you need to edit, change only the last part
root:x:0:0::/root:/usr/bin/nologin

(B) Disable root login over SSH

If you only need to disable root login when using SSH, you can edit /etc/ssh/sshd_config and change and uncomment this line:

PermitRootLogin=no

Then, restart sshd service.