It’s true that we just went through setting an insanely strong password for
root, but now that we have our non-
root account added to the
sudo group, we don’t need the liability of leaving the
root account around AND active – we shouldn’t be logging in as it and we won’t be using it, so let’s disable it.
Tip: At first blush it might seem odd to disable the
root account; after, it’s root! The motivation here is all about reducing the “attack surface area” – removing potential options for attackers to use.
You may be tempted to use the
passwd -l root command here to lock the account – this works by changing the password to an impossible value (effectively breaking password login for the
However, if the
root account has already been compromised by a foreign Public/Private key being assigned to it, that attacker will still be able to login to
root (since they aren’t using passwords).
The ideal way to disable the
root account is to use the following command:
sudo usermod --expiredate 1 root
This will set the
root account’s expiry date to Jan 2, 1970. If
root attempts to login in any capacity, they will see the following error:
$ su - Password: Your account has expired; please contact your system administrator su: Authentication failure
Re-enabling the root account
If you need to re-enable the
root account for some reason, run the following command:
sudo usermod --expiredate "" root
After you are done performing the task at hand, don’t forget to disable it again before logging out of the server.
It’s all about good security hygiene to keep your servers safe!