TechEarl

How to Disable Root Login on Linux

Disable direct root login over SSH and on the console, lock the root password, and move everyone to a normal account plus sudo, without locking yourself out.

Ishan Karunaratne⏱️ 4 min readUpdated
Share thisCopied
Disable direct root login over SSH and the console, lock the root password, and use a normal account plus sudo instead, safely.

Direct root login is the account every attacker tries first, and it leaves no record of who did what. The fix is to log in as a normal user and elevate with sudo. Before you disable root, make sure you have a working sudo-capable account, or you will lock yourself out.

Step 0: confirm you have a way back in

bash
# As your normal user, prove sudo works BEFORE disabling root:
sudo whoami        # should print: root

If that prints root, you are safe to proceed. If it does not, grant sudo first and re-test.

Disable root login over SSH

This is the one that matters most, because SSH is the internet-facing door. In /etc/ssh/sshd_config (or a drop-in under /etc/ssh/sshd_config.d/):

code
PermitRootLogin no

Check and reload without dropping your session:

bash
sudo sshd -t                       # validate config
sudo systemctl reload ssh          # or: reload sshd

Keep your current session open and confirm a fresh ssh youruser@server still works before closing it. PermitRootLogin prohibit-password is a middle ground: it blocks root password logins but still allows a root SSH key (useful for some automation); no blocks root entirely.

Lock the root password (console too)

Disabling SSH root login does not touch console or su access. To stop anyone from su - into root with a password, lock the root password:

bash
sudo passwd -l root

This puts a ! in the hash so no password matches. You still become root through sudo (which does not use the root password), so nothing you rely on breaks. To check: sudo passwd -S root shows L.

What you do NOT want

Do not delete the root account or set its shell to nologin blindly: many system tools and recovery paths expect root to exist. Locking the password and disabling SSH root login achieves the security goal while keeping the account intact for sudo and single-user recovery.

FAQ

See also

Sources

Authoritative references this article was fact-checked against.

TagsLinuxrootsudosshdSecurityHardening

Found this useful? Pass it on.

Copied

Ishan Karunaratne

Software Systems Architect · Senior Software Engineer · Engineering Leadership

Software systems architect and senior software engineer with more than two decades designing, building, and running production software, Linux systems, and DevOps infrastructure, and lately working AI into the stack. Now a CTO, though what I write here is drawn from the full arc of that work, across architecture, engineering, and operations, not any single job.

More by IshanLinkedIn
Keep reading

Related posts

How to schedule a cron job on Linux: edit your crontab, write the five-field cron schedule, and point it at a command to run on a recurring timer.
Linux

How to Schedule a Cron Job on Linux

Schedule a recurring task on Linux with cron: open your crontab, write the five-field schedule, point it at a command, and avoid the environment and day-of-week traps that make jobs run at the wrong time.

List all Linux users and groups from /etc/passwd and /etc/group with getent, and tell human accounts from system accounts by UID.
Linux

How to List Users and Groups on Linux

List every user and group from /etc/passwd and /etc/group with getent, tell human accounts from system ones by UID, and see which groups a user belongs to.