Disable Root Login on Linux (Ubuntu/Debian) — Right now!

yannick Coffi -

Disabling the root user login is a best practice for securing Linux systems. It limits direct access to the most powerful account, forcing users to go through sudo —a safer, more auditable way to run commands with elevated privileges. Here we will explain what root login is, why it exists, the risks of leaving it enabled, and how to disable it properly.


What Is Root Login?

The root user is the superuser on Unix and Linux systems with unrestricted control over the entire system —all files, devices, and settings. When you log in as root, you bypass almost all security restrictions.

Root login can occur:

  • Locally, by logging into the terminal or switching users with commands like su or su -.
  • Remotely, through SSH with ssh root@hostname.
  • Or via sudo, which grants elevated privileges to authorized users but is safer and more controllable.

Why Does Root Exist?

Root exists to:

  • Perform system maintenance and updates.
  • Install or remove software that affects all users.
  • Manage user accounts and permissions.
  • Recover the system in emergencies.

While root access is necessary, directly logging in as root is rarely required during day-to-day use.

Why Is Leaving Root Login Enabled Dangerous?

Allowing direct root login:

  • Bypasses auditing: Commands run as root can't be traced back to individual users.
  • Exposes your system to attacks: Attackers can brute-force root SSH logins.
  • Increases the risk of accidental damage: Root can execute destructive commands without restrictions.
  • Violates the principle of least privilege, where users should only have access to what they need.

⚠️Before Disabling Root: Make Sure You Have a Sudo-Enabled User.

Before disabling root, make sure at least one user has sudo privileges:

$ sudo usermod -aG sudo your_username

This command adds your user (your_username) to the sudo group, granting administrative privileges. Otherwise, you risk locking yourself out of administrative access.

After running this, log out and back in (or reboot) for the changes to take effect. Then you can use sudo for administrative commands.

How to Disable Root Login Safely

Step 1: Lock the Root Password (Disable Local Login)

Run this command to lock root's password:

$ sudo passwd -l root

This prevents logging in as root via the console or with su.

You should see something similar to this:

passwd: password changed.

That message might seem confusing, but it actually confirms that the root password has been successfully locked. This means the root account can no longer be used to log in directly —which is exactly the secure state you want.

To check root's status:

$ sudo passwd -S root

You should see root L indicating the account is locked.

root L ****-**-** * ***** * -*

L means locked.

You can also use grep to inspect /etc/shadow directly:

$ sudo grep ^root: /etc/shadow

Output should look like:

root:!*:*****:*:*****:*:::

!* means the root password is locked/disabled

Step 2: Disable Root Login over SSH

Edit the SSH daemon config:

$ sudo nano /etc/ssh/sshd_config

Uncomment or add:

PermitRootLogin no

Save and exit.
Restart SSH daemon:

$ sudo systemctl restart ssh

Verify:

$ sudo sshd -T | grep permitrootlogin

Ouput should be:

permitrootlogin no

Optional: Restrict su Command

You can restrict who can use su to switch to the root user or other accounts by changing its permissions:

$ sudo chmod 750 /bin/su
$ sudo chgrp sudo /bin/su

These two commands restrict the su command so only users in the sudo group can run it. Everyone else gets a “Permission denied” error before even being prompted for a password. This hardens security by limiting root escalation to trusted users only.

Important notes:

  • It does NOT delete the root user account.
  • It does NOT disable root access via sudo.
  • Root access via sudo is still available to users who are allowed to use sudo.
  • This is a safe way to prevent direct root login while keeping the system manageable.

Disabling root login strengthens your system's security by reducing attack vectors and encouraging accountability. With root login disabled, all administrative actions must go through sudo, which logs activities and limits access to trusted users. Always ensure you have working sudo access before disabling root.

We hope you found these insights useful!