How To Disable Root Logins
Most Linux installations come with the root user by default. Ubuntu is one notable exception where root is disabled. The problem with the "root" user is that it can do everything, and isn't linked to any particular user. It's a sort of "catch-all" account that's very dangerous in the wrong hands. Disabling root access has a lot of little benefits, none of which is persuasive enough by themselves. However taken together, they're pretty convincing.
Here are a few benefits.
- Attacker Needs to Guess two pieces of information instead of just one - the username AND the password
- Users will need to specifically request admin permissions via the "sudo" command instead of having admin access by default
- It's easy to audit user activities and find out which user performed which activity instead of merely having "root" as the user
There are other benefits as well, but these are some of the main ones. Like I said, there are arguments debating the efficacy of each of them, but together they form a pretty solid front. Disabling root logins is a good idea on general principles.
So here's how we do it.
Step 1: Logging in as Root and Opening the sshd_config File
As you can see below, I can log in as root by default using SSH:
To disable root logins we need admin privileges to start with so we can modify the following file:
/etc/ssh/sshd_config
So either use your account's "sudo" capability, or log in as root itself. Open the file in a text editor:
vi /etc/ssh/sshd_config
Step 2: Change One Line in sshd_config
Now scroll all the way down or search for the line that starts like this:
#PermitRootLogin yes
As shown here:
The hash character (#) indicates that the line has been "commented out". So we're going to make two changes:
- Remove the hash (#)
- Change "yes" to "no"
So the line will finally look like this:
PermitRootLogin no
Make these changes, and save the file. Once done, we need to restart the sshd service so that our changes will take effect. We do this using the following command:
systemctl restart sshd
Again, remember to use "sudo" before these commands if you don't have admin privileges by default, or login as root to perform them. After this works, you won't be able to log in again!
Step 3: Testing Your Changes
If you've done the previous steps properly, you should now be prevented from logging in as root. Since I tested it at the beginning of this, I perform the same test again:
This time, you can see that if I try and login as root directly, I get an "access" denied message. That's great. Looks like we've successfully disabled root logins on Linux!
But What if you NEED Root Later On?
While you should be able to use "sudo" to perform admin actions instead of root, there might come a time when you realize you need root access after all. Don't worry! Root hasn't vanished. You can still access root from any other user by typing in the following command:
su - root
This will prompt you for the root password and log you into root as shown here:
So worst case scenario, it's still available to you if you need it. In general, it's a good idea to use it as infrequently as possible!