disable root login on console
How to disable root login on console on debian and cent os 6. I have tried truncating /etc/securetty but it will disable all the users. I want to disable only root login through console.
linux debian centos login
add a comment |
How to disable root login on console on debian and cent os 6. I have tried truncating /etc/securetty but it will disable all the users. I want to disable only root login through console.
linux debian centos login
Depends a bit on how you want to be able to login as root afterwards. Directly to the root account with SSH? Using a password or a key? Or do you just want to usesu
orsudo
?
– ilkkachu
Mar 10 '17 at 12:46
1
Be careful - if all your non-root logins are not local to the machine (LDAP, for example), be sure that you still have some form of local login that would allow you to login to the machine no matter what. For example, if the only accounts you can log onto the machine directly are are LDAP-based accounts and the machine's network card fails, you might be unable to login at all if you don't have a purely local login available.
– Andrew Henle
Mar 10 '17 at 12:52
add a comment |
How to disable root login on console on debian and cent os 6. I have tried truncating /etc/securetty but it will disable all the users. I want to disable only root login through console.
linux debian centos login
How to disable root login on console on debian and cent os 6. I have tried truncating /etc/securetty but it will disable all the users. I want to disable only root login through console.
linux debian centos login
linux debian centos login
asked Mar 10 '17 at 12:31
Sagar ShindeSagar Shinde
144
144
Depends a bit on how you want to be able to login as root afterwards. Directly to the root account with SSH? Using a password or a key? Or do you just want to usesu
orsudo
?
– ilkkachu
Mar 10 '17 at 12:46
1
Be careful - if all your non-root logins are not local to the machine (LDAP, for example), be sure that you still have some form of local login that would allow you to login to the machine no matter what. For example, if the only accounts you can log onto the machine directly are are LDAP-based accounts and the machine's network card fails, you might be unable to login at all if you don't have a purely local login available.
– Andrew Henle
Mar 10 '17 at 12:52
add a comment |
Depends a bit on how you want to be able to login as root afterwards. Directly to the root account with SSH? Using a password or a key? Or do you just want to usesu
orsudo
?
– ilkkachu
Mar 10 '17 at 12:46
1
Be careful - if all your non-root logins are not local to the machine (LDAP, for example), be sure that you still have some form of local login that would allow you to login to the machine no matter what. For example, if the only accounts you can log onto the machine directly are are LDAP-based accounts and the machine's network card fails, you might be unable to login at all if you don't have a purely local login available.
– Andrew Henle
Mar 10 '17 at 12:52
Depends a bit on how you want to be able to login as root afterwards. Directly to the root account with SSH? Using a password or a key? Or do you just want to use
su
or sudo
?– ilkkachu
Mar 10 '17 at 12:46
Depends a bit on how you want to be able to login as root afterwards. Directly to the root account with SSH? Using a password or a key? Or do you just want to use
su
or sudo
?– ilkkachu
Mar 10 '17 at 12:46
1
1
Be careful - if all your non-root logins are not local to the machine (LDAP, for example), be sure that you still have some form of local login that would allow you to login to the machine no matter what. For example, if the only accounts you can log onto the machine directly are are LDAP-based accounts and the machine's network card fails, you might be unable to login at all if you don't have a purely local login available.
– Andrew Henle
Mar 10 '17 at 12:52
Be careful - if all your non-root logins are not local to the machine (LDAP, for example), be sure that you still have some form of local login that would allow you to login to the machine no matter what. For example, if the only accounts you can log onto the machine directly are are LDAP-based accounts and the machine's network card fails, you might be unable to login at all if you don't have a purely local login available.
– Andrew Henle
Mar 10 '17 at 12:52
add a comment |
3 Answers
3
active
oldest
votes
This will disable the root account on debian (not sure about cent os):
sudo passwd -l root
might as well add this answer (the accepted one) from serverfault with setting /bin/false as shell for root (it's an OS agnostic solution). Not the part about ssh.
– hyph
Mar 10 '17 at 12:44
add a comment |
1) Activate the pam_access module on /etc/pam.d/login adding on the first 'account' line --> "account required pam_access.so"
2) Configure the access on /etc/security/access.conf :
3) +:root:cron crond [To avoid " pam_access(crond:account): access denied for user root' from
cron'" and "crontab: pam_access(crond:account): access denied for user root' from
cron'"]
-:root:LOCAL
add a comment |
You could also edit the /etc/passwd
file. Change the /bin/bash
at the end of the "root
-line" to /bin/false
or /usr/sbin/nologin
.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f350502%2fdisable-root-login-on-console%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
This will disable the root account on debian (not sure about cent os):
sudo passwd -l root
might as well add this answer (the accepted one) from serverfault with setting /bin/false as shell for root (it's an OS agnostic solution). Not the part about ssh.
– hyph
Mar 10 '17 at 12:44
add a comment |
This will disable the root account on debian (not sure about cent os):
sudo passwd -l root
might as well add this answer (the accepted one) from serverfault with setting /bin/false as shell for root (it's an OS agnostic solution). Not the part about ssh.
– hyph
Mar 10 '17 at 12:44
add a comment |
This will disable the root account on debian (not sure about cent os):
sudo passwd -l root
This will disable the root account on debian (not sure about cent os):
sudo passwd -l root
answered Mar 10 '17 at 12:37
assyliasassylias
4481417
4481417
might as well add this answer (the accepted one) from serverfault with setting /bin/false as shell for root (it's an OS agnostic solution). Not the part about ssh.
– hyph
Mar 10 '17 at 12:44
add a comment |
might as well add this answer (the accepted one) from serverfault with setting /bin/false as shell for root (it's an OS agnostic solution). Not the part about ssh.
– hyph
Mar 10 '17 at 12:44
might as well add this answer (the accepted one) from serverfault with setting /bin/false as shell for root (it's an OS agnostic solution). Not the part about ssh.
– hyph
Mar 10 '17 at 12:44
might as well add this answer (the accepted one) from serverfault with setting /bin/false as shell for root (it's an OS agnostic solution). Not the part about ssh.
– hyph
Mar 10 '17 at 12:44
add a comment |
1) Activate the pam_access module on /etc/pam.d/login adding on the first 'account' line --> "account required pam_access.so"
2) Configure the access on /etc/security/access.conf :
3) +:root:cron crond [To avoid " pam_access(crond:account): access denied for user root' from
cron'" and "crontab: pam_access(crond:account): access denied for user root' from
cron'"]
-:root:LOCAL
add a comment |
1) Activate the pam_access module on /etc/pam.d/login adding on the first 'account' line --> "account required pam_access.so"
2) Configure the access on /etc/security/access.conf :
3) +:root:cron crond [To avoid " pam_access(crond:account): access denied for user root' from
cron'" and "crontab: pam_access(crond:account): access denied for user root' from
cron'"]
-:root:LOCAL
add a comment |
1) Activate the pam_access module on /etc/pam.d/login adding on the first 'account' line --> "account required pam_access.so"
2) Configure the access on /etc/security/access.conf :
3) +:root:cron crond [To avoid " pam_access(crond:account): access denied for user root' from
cron'" and "crontab: pam_access(crond:account): access denied for user root' from
cron'"]
-:root:LOCAL
1) Activate the pam_access module on /etc/pam.d/login adding on the first 'account' line --> "account required pam_access.so"
2) Configure the access on /etc/security/access.conf :
3) +:root:cron crond [To avoid " pam_access(crond:account): access denied for user root' from
cron'" and "crontab: pam_access(crond:account): access denied for user root' from
cron'"]
-:root:LOCAL
answered Mar 15 '17 at 6:24
Sagar ShindeSagar Shinde
144
144
add a comment |
add a comment |
You could also edit the /etc/passwd
file. Change the /bin/bash
at the end of the "root
-line" to /bin/false
or /usr/sbin/nologin
.
add a comment |
You could also edit the /etc/passwd
file. Change the /bin/bash
at the end of the "root
-line" to /bin/false
or /usr/sbin/nologin
.
add a comment |
You could also edit the /etc/passwd
file. Change the /bin/bash
at the end of the "root
-line" to /bin/false
or /usr/sbin/nologin
.
You could also edit the /etc/passwd
file. Change the /bin/bash
at the end of the "root
-line" to /bin/false
or /usr/sbin/nologin
.
answered Feb 5 at 14:39
majesticLSDmajesticLSD
783
783
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f350502%2fdisable-root-login-on-console%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Depends a bit on how you want to be able to login as root afterwards. Directly to the root account with SSH? Using a password or a key? Or do you just want to use
su
orsudo
?– ilkkachu
Mar 10 '17 at 12:46
1
Be careful - if all your non-root logins are not local to the machine (LDAP, for example), be sure that you still have some form of local login that would allow you to login to the machine no matter what. For example, if the only accounts you can log onto the machine directly are are LDAP-based accounts and the machine's network card fails, you might be unable to login at all if you don't have a purely local login available.
– Andrew Henle
Mar 10 '17 at 12:52