TechEarl

How to Disable Root Login on Linux

Disable direct root login over SSH and on the console, lock the root password, and move everyone to a normal account plus sudo, without locking yourself out.

Ishan Karunaratne⏱️ 4 min readUpdated
Share thisCopied
Disable direct root login over SSH and the console, lock the root password, and use a normal account plus sudo instead, safely.

Direct root login is the account every attacker tries first, and it leaves no record of who did what. The fix is to log in as a normal user and elevate with sudo. Before you disable root, make sure you have a working sudo-capable account, or you will lock yourself out.

Step 0: confirm you have a way back in

bash
# As your normal user, prove sudo works BEFORE disabling root:
sudo whoami        # should print: root

If that prints root, you are safe to proceed. If it does not, grant sudo first and re-test.

Disable root login over SSH

This is the one that matters most, because SSH is the internet-facing door. In /etc/ssh/sshd_config (or a drop-in under /etc/ssh/sshd_config.d/):

code
PermitRootLogin no

Check and reload without dropping your session:

bash
sudo sshd -t                       # validate config
sudo systemctl reload ssh          # or: reload sshd

Keep your current session open and confirm a fresh ssh youruser@server still works before closing it. PermitRootLogin prohibit-password is a middle ground: it blocks root password logins but still allows a root SSH key (useful for some automation); no blocks root entirely.

Lock the root password (console too)

Disabling SSH root login does not touch console or su access. To stop anyone from su - into root with a password, lock the root password:

bash
sudo passwd -l root

This puts a ! in the hash so no password matches. You still become root through sudo (which does not use the root password), so nothing you rely on breaks. To check: sudo passwd -S root shows L.

What you do NOT want

Do not delete the root account or set its shell to nologin blindly: many system tools and recovery paths expect root to exist. Locking the password and disabling SSH root login achieves the security goal while keeping the account intact for sudo and single-user recovery.

FAQ

See also

Sources

Authoritative references this article was fact-checked against.

TagsLinuxrootsudosshdSecurityHardening

Found this useful? Pass it on.

Copied

Ishan Karunaratne

Tech Architect · Software Engineer · AI/DevOps

Tech architect and software engineer with 20+ years building software, Linux systems, and DevOps infrastructure, and lately working AI into the stack. Currently Chief Technology Officer at a healthcare tech startup, which is where most of these field notes come from.

More by IshanLinkedIn
Keep reading

Related posts

Linux

How to List Users and Groups on Linux

List every user and group from /etc/passwd and /etc/group with getent, tell human accounts from system ones by UID, and see which groups a user belongs to.