Disable Root Account

From Exterior Memory
Jump to: navigation, search

You hardly (if ever) need the root password if you log in with a normal account and use sudo to alleviate your permissions. Hence, it is a good measure to disable someone from logging in as root.

A few solutions exist to lock down the root account.

Disable Remote Access

In /etc/ssh/sshd_config set the PermitRootLogin setting to no:

PermitRootLogin no

Disable Password

Notes:

  • Even if the password is disabled, users can still gain access to the account with other authentication methods, like public key. To disable all account logins, set the expiration date.

To lock the root password:

sudo passwd -l root     # on Linux

or

sudo usermod -L root

or

sudo pw lock root       # on FreeBSD

To unlock the root the password:

sudo passwd -u root     # on Linux

or

sudo pw unlock root       # on FreeBSD

You can check if an account is locked by examing the /etc/shadow password file. If it is locked, the password starts with an exclamation mark:

# grep root /etc/shadow         # on Linux
root:!$1$DU4xW/VH$EnmLXpf3vNW3zfvcCNZRb0:14358:0:99999:7::0:
# grep root /etc/master.passwd       # on FreeBSD
root:*LOCKED*$1$DU4xW/VH$EnmLXpf3vNW3zfvcCNZRb0:0:0::0:0:Charlie &:/root:/bin/csh

Set account expiration date

Notes:

  • Setting the expiration date to 0 prevent cron jobs that run as root to run.

Disable account login by setting the expiration date to 0:

chage -E 0 root

To enable the root account, set it back to -1:

chage -E -1 root

To display the account expiration date, use the -l option:

chage -l root

Use PAM

I'm certain that a more advanced method exists to lock down the root account by using the Pluggable Authentication Modules (PAM), but I'm unfortunately not a PAM-expert.

Rename User (Not recommended)

It is possible to remove the "root" user, and create a super user with a different name (e.g. a user 'radicle' with uid=0 and gid=0).

Notes:

  • I do not consider this secure as it mostly security-through-obscurity
  • It is inconvenient: some scripts have a habit of sending errors to root (so you need either a mail alias or change these scripts) and some cron jobs and startup scripts are specified to run as user 'root' (you need to adjust these).

Disable Shell login (Not recommended)

Another solution is to set the login shell of root to /bin/false instead of /bin/sh or /bin/bash.

Notes:

  • This is not secure. An attacker can still connect via ssh to initiate a tunnel (with ssh -L) and use it as a means to bypass your firewall.
  • It is inconvenient: This method prevents single user login, although it can easily be overridden by setting the shell with a boot parameter. E.g. kernel /boot/vmlinuz-2.6 root=/dev/sda1 rw single shell=/bin/bash or even kernel /boot/vmlinuz-2.6 root=/dev/sda1 rw init=/bin/bash.

Problems

Debian and Ubuntu contains a bug were the chfn (and adduser?) tools print an error when creating a new user while the root password is locked or expired. The typical error message looks like this:

# apt-get install amavisd-new
...
Creating/updating amavis user account...
Your account has expired; please contact your system administrator
chfn: PAM authentication failed
adduser: `/usr/bin/chfn -f AMaViS system user amavis' returned error code 1. Exiting.

In reality, the new account is created just fine. However, if the account was created as part of a installation procedure, the installation may have been aborted. I recommend to temporary remove the password lock and try again.

In this case:

apt-get remove --purge amavisd-new
chage -E -1 root
apt-get install amavisd-new
chage -E 0 root