# [SOLVED] Disabling Root Login

## t0nedef

I have my box set up with sudo for escalating permissions to users that i deem qualified. I would like to know how to disable the root login remotely or locally. Basically, i want to make it so that root can not log in at all and root permissions are only accessable from the sudo command.Last edited by t0nedef on Tue Nov 20, 2007 12:19 am; edited 1 time in total

----------

## trailnut

To disable root ssh login add to /etc/ssh/sshd_config: PermitRootLogin no

----------

## t0nedef

Thank you for your quick response, it is very helpful, but what about local root logins, i don't want those either.

----------

## Extintor

You could change the password for root in /etc/shadow to * (which won't match anything)

But then have someone with the rights to run passwd for root or the like.

----------

## trailnut

The /etc/securetty file lists consoles that root is able to login from. If you comment out all of the lines in that file it should prevent root from logging in locally. Don't remove the file though, I believe a missing file is different than an empty file and will allow root to connect to any console. I've also heard of setting the login shell to /sbin/nologin to prevent any root shells, but I've never messed with that.

----------

## HymnToLife

```
sudo passwd -l root
```

From man passwd :

```
       -l, --lock

           Lock the named account. This option disables an account by changing

           the password to a value which matches no possible encrypted value.

```

Basically Extintor's solution, just simpler and more elegant  :Wink: 

----------

## t0nedef

Thank you all very much! that should do it.

----------

## Stever

Make sure to disable all other boot devices in the BIOS, and set a BIOS passwd, and lock up the chassis.   Otherwise you are just a liveCD away from root if you have physical access to the machine.

----------

