There are two ways to disable direct root login on the system:
1) By configuring PAM and/or sshd (SSH Daemon) to disallow root login.
Steps to disable root login with PAM:
Check if auth stack with pam_securetty module is present in /etc/pam.d/login
Login as root fails now. However to bypass this, we can login as user and from there escalate to root, if we know the password ofcourse.
Steps to disable root login at ssh:
Edit the /etc/ssh/sshd_config and uncomment #PermitRootLogin yes and change it to PermitRootLogin no
After saving doc, restart the service with # systemctl restart sshd
Now SSH login as root wont work. However, we can login as user and escalate privileges to root afterwards.
Steps to restrict use of su command
# ls -l /bin/su - Checking privileges for su command
# chgrp wheel /bin/su - Changing group for su command to “wheel”
# ls -l /bin/su - Checking for new privileges for su command. We lost our setuid.
# chmod u+s, o-rx /bin/su - Adding setuid and removing rw for others
# ls -l /bin/su - Checking to see if we correctly edited privileges
NOTE: # chmod 4750 /bin/su - Replaces all commands above
We successfully edited /bin/su so that only members of wheel group can use it.
# id chris - checking if the user belongs to any group
# nano /etc/group - add chris user at the end of wheel group line
Now, only chris user can use su command. All other users who do not belong to wheel group cannot use su command.
- Using PAM or sshd to disallow root login
- Lock the root password completely
- This way, users are logged in as non-root therefore forcing them to use “su” command to get to root.
- PAM module pam_securetty and auth stack, can restrict root login to make terminals secure.
Steps to disable root login with PAM:
- Make a tty connection and login to root, in case something goes wrong we will have root access.
- Make another tty connection and login to root to edit the config files.
- As we said, creating empty /etc/securetty file will disable root login anywhere in the system.
Check if auth stack with pam_securetty module is present in /etc/pam.d/login
Login as root fails now. However to bypass this, we can login as user and from there escalate to root, if we know the password ofcourse.
Steps to disable root login at ssh:
Edit the /etc/ssh/sshd_config and uncomment #PermitRootLogin yes and change it to PermitRootLogin no
After saving doc, restart the service with # systemctl restart sshd
Now SSH login as root wont work. However, we can login as user and escalate privileges to root afterwards.
2) Lock the root password completely.
- This way, no one can login to root and cannot use “su” to root.
- Administrators often tighten the restrictions for “su” command by giving permisions to certain group - called wheel.
- Instead, we use sudo to allow controlled privileged escalation (Ubuntu uses this way)
Steps to restrict use of su command
# ls -l /bin/su - Checking privileges for su command
# chgrp wheel /bin/su - Changing group for su command to “wheel”
# ls -l /bin/su - Checking for new privileges for su command. We lost our setuid.
# chmod u+s, o-rx /bin/su - Adding setuid and removing rw for others
# ls -l /bin/su - Checking to see if we correctly edited privileges
NOTE: # chmod 4750 /bin/su - Replaces all commands above
We successfully edited /bin/su so that only members of wheel group can use it.
Adding users to wheel group:
# id chris - checking if the user belongs to any group
# nano /etc/group - add chris user at the end of wheel group line
Now, only chris user can use su command. All other users who do not belong to wheel group cannot use su command.