Tuesday, September 8, 2009

Disable root login in Linux

Disabling root logins in Linux is an easy and simple process. Enter this command at the console:
$ sudo passwd -l root
To reenable root login, use this command:
$ sudo passwd -u root
Alternatively, to unlock the root account you could reset the password like I detailed in this post. These commands will work with any username, not just root. For example, if you wanted to disable logins from a user named "phil", the syntax would look like this:
$ sudo passwd -l phil
There are two things to keep in mind when doing this. First is that this only disables logins that use passwords. If you have enabled login over SSH via public keys then that will continue to work. The second thing is that you want to make sure if you disable the root account that you have at least one user who has sudo power. Otherwise you will effectively have a machine without any users able to perform administrative functions because root is disabled and none of the other users can use the sudo command.

1 comment:

  1. Any pam-based service which uses pam_unix in the account stack will deny authorization to a user whose password is in the locked state. Make sure that pam.d/sshd includes a reference to common-account, and that pam.d/common-account includes pam_unix. The out of the box ssh (and pam) on both Karmic and Hardy reject key-based auth attempts when the account is just locked w/ "passwd -l". :)