Sep 27th, 2009
Methods of Disabling the Root Account.
Methods of Disabling the Root Account.
Changing the root shell.
To prevent users from logging in directly as root, the system administrator can set the root ac-count’s shell to /sbin/nologin in the /etc/passwd file.
Edit the /etc/passwd file and change the shell from /bin/bash to /sbin/nologin.
The following programs are prevented from ac-cessing the root account:
· gdm
· kdm
· xdm
· su
· ssh
· scp
· sftp
Programs that do not re-quire a shell, such as FTP clients, mail clients, and many setuid programs. The following programs are not prevented from accessing the root ac-count:
· FTP clients
· Email clients
Disabling root ac-cess via any con-sole device (tty).
An empty /etc/securetty file prevents root login on any devices attached to the computer.
Disabling root SSH Login.
Edit the /etc/ssh/sshd_config file, and set the PermitRootLo-gin parameter to no.
to
Use PAM to limit root access to services.
Edit the file for the target service in the /etc/pam.d/ directory. Make sure the pam_listfile.so is re-quired for authentication.