On Linux, the root account is probably one of the most powerful accounts that there is.
Considered the most privileged account on a Unix system, root can perform any tasks needed for system administration.
Navigating a specific folder, killing any process or deleting a directory, root is so powerful that it has to be managed properly.
In this tutorial, you will learn about the different facets of the root account on Ubuntu 20.04.
You will learn to lock and unlock it, to change its password as well as disabling it when trying to remotely access your machine.
Finally, you will know the difference between the root account and the sudo command that is used quite often.
Prerequisites
For most of the commands used in this tutorial, you will need sudo privileges.
If the sudo group is part of your current groups, it means that you should be able to execute the commands listed below.
If not, make sure to check our guide on how to get sudo rights on Ubuntu 20.04.
Check Lock Status of Root Account
Given your distribution, the root account may or may not be locked by default.
By default, when installing Ubuntu 20.04, you created a user account that got the sudo privileges.
As you can see, by default, the “devconnected” user is in the “sudo” group, which allows it to have temporary root rights if needed.
But what about the actual root account?
To know if your root account is locked or not, you can either check the “/etc/shadow” file or use the passwd command with the “-S” option.
Inspecting the shadow file
On Linux, the shadow file is a very sensitive file : it contains the encrypted passwords for all the users available on your machine.
As a consequence, its content should never be seen or modified by a regular user.
In our case, we are only going to pay attention to the information related to the root account.
In order to know if the root account is locked or not, look for an exclamation mark in the field that should contain the encrypted password. If there is one, that means that the account is locked.
$ sudo getent shadow root
$ sudo cat /etc/shadow | grep root
If you are curious, this point is actually specified in the documentation when reading the page dedicated to “shadow“.
$ man shadow
Using the passwd command
Usually, the passwd command is used in order to change a user’s password on Linux.
However, the “-S” option can be used in order to display the account “status” information.
$ sudo passwd -S root
When using the “-S” option, you want to pay attention to the second column : it actually displays the status of the account (L for “locked” and P for “usable password“).
In this case, the root account is locked while the regular user account has a password.
Locking & Unlocking Root Account
By default, it is recommended to lock the root account and to use dedicated privileged accounts in order to perform critical operations.
In order to lock the root account, you have to use the “usermod” command with the “-L” option for “lock” and specify the root account.
$ sudo usermod -L root
Make sure to verify that the account is correctly locked by using one of the commands we described in the previous section.
In order to unlock the root account, you have to use the “usermod” command with the “-U” and specify the root account.
$ sudo usermod -U root
Changing the root password
In order to change the root password, you have to use the “passwd” and specify the root account.
$ sudo passwd root
After changing your password, the account will be automatically unlocked.
In order to switch to the root account, you can use the well-known “su” command without any arguments (the default account is root).
$ su -
Disabling Root Login over SSH
In some cases, you want to keep the local root account accessible for administration but disabled for remote access.
If you are accessing your machine over SSH, you should disable root login whenever your server is active.
By default, on recent distributions, root login is set to “prohibit-password”, which means that you can still connect to it using SSH key authentication.
In order to disable it completely, head over to your “/etc/ssh/sshd_config” file and identify the line with “PermitRootLogin”.
#PermitRootLogin
PermitRootLogin no
Of course, make sure to restart your SSH server for the modifications to be taken into account.
$ sudo systemctl restart sshd
Conclusion
In this tutorial, you learnt how you can manage the root account on Linux easily.
You learnt that there are many different ways of checking for the lock status of the root account, using the shadow file or the passwd command for example.
If you are interested in Linux System Administration, we have a complete section dedicated to it on the website, so make sure to check it out!