Disable root login, but still be able to sudo -s after logged with another user (ssh)
Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Disable root login, but still be able to sudo -s after logged with another user (ssh)
How can I disable the root login in ssh ? I don't want to be able to log in with the root in ssh, I want to be able to log in with a specific user in ssh, and then to be able to sudo -s root and became root.
In ubuntu, the default is like this. My question is, how do I do this on a centos5 machine ? or any other generic linux server.
edit /etc/ssh/sshd_config and set PermitRootLogin to no. and restart sshd
Just like that ? As simple as that ? That's all I have to do ?
I've been looking in sshd_config, and saw the PermitRootLogin = yes, but I was thinking that I will not be able to log in then with root, after I log with a linux user.
One last thing, (I hope) after I set PermitRootLogin = no, for example, for user abc, do I need to write in sudoers, or in sshd the user that has the right to switch into the root acount (sudo -s) ?
That config file is for SSH. sudo is NOT ssh, once you're logged in to the remote system, ssh is utterly irrelevant to what you do and has no idea at all how sudo is configured.
I have many different servers. One with Ubuntu 32b 9.04 one with CentOS 4 64b, one with CentOS 5, one with RH 3.0 AS, etc.
For example, on the Ubuntu 32bit V9.04 in sshd_config PermitRootLogin = yes but I still can't connect with the root through ssh. I need to connect with my user, and then I can su root. This Ubuntu has GUI.
That's why I'm asking if there isn't a config file, or something, in where I can restrict the login with the root user.
I think when I installed Ubuntu, it promted me to make a default user (not root), and I'm not sure, but... I think I have completed some steps, in which I configured the login for root user. I don't know I'm not quite sure what I did, 2 years ago.
Ubuntu does not let people log in as root by default. When I say that I mean that SSH may be configured to allow it, but by default you still can't do it. If you set root's password yourself (with passwd, see man passwd) you would be able to log in to that Ubuntu box as root, but logging in as a general user and using sudo is preferred.
The change to sshd_config will stop anyone from being able to log in remotely as the root user, but root may still be able to log on locally, except in Ubuntu and a few other distros that "disable" the root user completely, not just via SSH.
As above, Ubuntu is non-std in the way it handles root user.
On a std system, in Unix+Linux, acid_kewpie's answers are correct.
Ubuntu actually disables the root user locally, so the setting in sshd is ignored. Ubuntu makes the first created normal user able to run anything as root by prefixing the cmd with 'sudo'. This is not what sudo was created for.
Tyvm Chrism01, you helped me alot of times.
So like... in general, the other linux distribution except ubuntu and a few others, can't and will not have this option to disable the root user, except that I can configure that in sshd and that's it ? Any other restriction file that I can edit to make the root login disabled dosen't exist in these linux distributions?
I just checked in my ubuntu linux box, I could log in with the root after I passwd from root, but I set PermitRootLogin = no :P afterall.
LE: idk why it didn't work in the first place, I did passwd from root, set the root password, and then restarted ssh (or no, hmmm idk...) and still couldn't log in with the root user. Now after I did passwd from root user, restarted ssh, I could log in with the root user, but like I said, I have disabled the PermitRootLogin from the ssh.
well you can easily make root behave in the ubuntu style on other systems, just give the root account a random password and forget it. Their sudo implemented is not "interesting" they just advocate it's use a lot more than other systems by default. on Ubuntu you *can* set a root passwd if you like and start using that accont directly, but it's just not advised.
I don't think I got the point, I don't understand very well english, and I don't understand what you meant by give the root account a random password and forget it.
But, I'll leave it that way, I solved the "problem" I had, so... thankx anyway.
Are you serious ? I need the root password to become root!
Or, wait a minute... in fact, I can set my username in sudoers, with root privileges, and then reset the password for root with that command.
Is that what you are trying to say ?
And with that command, passwd -l root why do you say 100% less chance of a brute-force guessing it ? What is that command doing, why is that command so special in that you can't recovery the root password ? Can you be more specific ? From my opinion, I rather set a strong password, 20 characters, with case sensitive and upper case and lower case, and *#$^*#$ and I bet it's stronger than passwd -l root. Or maybe I'm wrong. Once again, why is that command so special ? Can you please tell me ? I've search the internet, and couldn't find anything about that command.
Yes, that's the logic, you never go in directly as root, which is not very auditable, only become root through another much more trackable human specific account. well the -l option "disables" the account by making the password reversibly illegal, AFAIR by putting a ! in the string, which means it will never be able to be matched.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.