Disabling the root account

It’s true that we just went through setting an insanely strong password for root, but now that we have our non-root account added to the sudo group, we don’t need the liability of leaving the root account around AND active – we shouldn’t be logging in as it and we won’t be using it, so let’s disable it.

Tip: At first blush it might seem odd to disable the root account; after, it’s root! The motivation here is all about reducing the “attack surface area” – removing potential options for attackers to use.

You may be tempted to use the passwd -l root command here to lock the account – this works by changing the password to an impossible value (effectively breaking password login for the root account).

However, if the root account has already been compromised by a foreign Public/Private key being assigned to it, that attacker will still be able to login to root (since they aren’t using passwords).

The ideal way to disable the root account is to use the following command:

sudo usermod --expiredate 1 root

This will set the root account’s expiry date to Jan 2, 1970. If root attempts to login in any capacity, they will see the following error:

$ su -
Your account has expired; please contact your system administrator
su: Authentication failure

Re-enabling the root account

If you need to re-enable the root account for some reason, run the following command:

sudo usermod --expiredate "" root

After you are done performing the task at hand, don’t forget to disable it again before logging out of the server.

It’s all about good security hygiene to keep your servers safe!