Skip to main content

Disable root login

The root user should not be used on a production server. It's required for initial setup but should be disabled after that.

However, before we can disable root login, we need to make sure an alternate user account exists and is in the sudo group.

Creating a new user

To create a new user, and home directory, do the following:

useradd -m -g sudo -s /bin/bash pocket && passwd pocket

This will create a new user pocket and set the default shell to bin/bash. A home directory will also be created.

tip

If you want to specify the location of the home directory, you can use the -d option followed by the path to the home directory.

Making sure sudo is installed

Before disabling root login, we need to make sure sudo is installed. To do this, run the following command:

which sudo

This will return the path to the sudo command. If it returns /usr/bin/sudo, then sudo is installed.

If sudo is not installed, you can install it with the following command:

apt install sudo

If you have to install sudo, you'll also need to add your user to the sudo group. To do this, run the following command:

usermod -aG sudo pocket

The previous command will add the pocket user to the sudo group.

To verify that the pocket user is in the sudo group, run the following command:

groups pocket

This will return the group membership for the pocket user.

Confirming a user is in the sudo group

The last thing you'll want to do before disabling root login is to make sure sudo works for your user. To do this, run the following command to switch to the pocket user:

su - pocket

Then run the following command to verify that sudo works for the pocket user:

sudo apt update

This is a command that requires root privileges. If you get an error, your user does not have root privileges.

Last updated on by Steve Tingiris