On Linux, the root account is probably one of the most powerful accounts that there is.

Considered the most privileged account on a Unix system, root can perform any tasks needed for system administration.

Navigating a specific folder, killing any process or deleting a directory, root is so powerful that it has to be managed properly.

In this tutorial, you will learn about the different facets of the root account on Ubuntu 20.04.

You will learn to lock and unlock it, to change its password as well as disabling it when trying to remotely access your machine.

Finally, you will know the difference between the root account and the sudo command that is used quite often.

Prerequisites

For most of the commands used in this tutorial, you will need sudo privileges.

How To Manage Root Account on Ubuntu 20.04 groups

If the sudo group is part of your current groups, it means that you should be able to execute the commands listed below.

If not, make sure to check our guide on how to get sudo rights on Ubuntu 20.04.

Check Lock Status of Root Account

Given your distribution, the root account may or may not be locked by default.

By default, when installing Ubuntu 20.04, you created a user account that got the sudo privileges.

As you can see, by default, the “devconnected” user is in the “sudo” group, which allows it to have temporary root rights if needed.

But what about the actual root account?

To know if your root account is locked or not, you can either check the “/etc/shadow” file or use the passwd command with the “-S” option.

Inspecting the shadow file

On Linux, the shadow file is a very sensitive file : it contains the encrypted passwords for all the users available on your machine.

As a consequence, its content should never be seen or modified by a regular user.

In our case, we are only going to pay attention to the information related to the root account.

In order to know if the root account is locked or not, look for an exclamation mark in the field that should contain the encrypted password. If there is one, that means that the account is locked.

$ sudo getent shadow root

$ sudo cat /etc/shadow | grep root

Inspecting the shadow file root-locked

If you are curious, this point is actually specified in the documentation when reading the page dedicated to “shadow“.

$ man shadow

Inspecting the shadow file encrypted-password

Using the passwd command

Usually, the passwd command is used in order to change a user’s password on Linux.

However, the “-S” option can be used in order to display the account “status” information.

$ sudo passwd -S root

Using the passwd command passwd-command

When using the “-S” option, you want to pay attention to the second column : it actually displays the status of the account (L for “locked” and P for “usable password“).

In this case, the root account is locked while the regular user account has a password.

Locking & Unlocking Root Account

By default, it is recommended to lock the root account and to use dedicated privileged accounts in order to perform critical operations.

In order to lock the root account, you have to use the “usermod” command with the “-L” option for “lock” and specify the root account.

$ sudo usermod -L root

Make sure to verify that the account is correctly locked by using one of the commands we described in the previous section.

Locking & Unlocking Root Account lock-root-account

In order to unlock the root account, you have to use the “usermod” command with the “-U” and specify the root account.

$ sudo usermod -U root

Changing the root password

In order to change the root password, you have to use the “passwd” and specify the root account.

$ sudo passwd root

Changing the root password changing-root-password

After changing your password, the account will be automatically unlocked.

In order to switch to the root account, you can use the well-known “su” command without any arguments (the default account is root).

$ su -

Changing the root password connect-to-root

Disabling Root Login over SSH

In some cases, you want to keep the local root account accessible for administration but disabled for remote access.

If you are accessing your machine over SSH, you should disable root login whenever your server is active.

By default, on recent distributions, root login is set to “prohibit-password”, which means that you can still connect to it using SSH key authentication.

In order to disable it completely, head over to your “/etc/ssh/sshd_config” file and identify the line with “PermitRootLogin”.

#PermitRootLogin

PermitRootLogin no

Disabling Root Login over SSH ssh-root-login

Of course, make sure to restart your SSH server for the modifications to be taken into account.

$ sudo systemctl restart sshd

Conclusion

In this tutorial, you learnt how you can manage the root account on Linux easily.

You learnt that there are many different ways of checking for the lock status of the root account, using the shadow file or the passwd command for example.

If you are interested in Linux System Administration, we have a complete section dedicated to it on the website, so make sure to check it out!

Leave a Reply

Your email address will not be published.