This tutorial explains how to enable and disable the root login in Ubuntu. Learn how to enable the root user account and once enabled, how to disable it again.
In Linux, root account is the main administrator account. When we install Linux, the installation wizard automatically creates this account. In some Linux flavors such as RedHat and CentOS, the installation wizard allows us to set password on this account.
In Ubuntu Linux, the installation wizard neither provides an option to set password nor provides any information about this account. It simply creates this account without password in background.
In Linux, a user account without password or empty password is considered as a disabled account. Since the root account is created without password by the installation wizard, it remains in disabled state until it is manually enabled.
Before we learn how to enable the root account, let’s check how and where the Ubuntu stores the root account information. In a standalone Linux system, user information is stored in two files; /etc/passwd and /etc/shadow.
/etc/passwd: - This file stores users’ records.
/etc/shadow: - This file stores users’ passwords.
To know how the root account’s information is stored in these files, access a shell prompt and run the following commands.
$sudo grep root /etc/passwd $sudo grep root /etc/shadow
As we can see in above output, password field is occupied by the character "x" and "!" in user database file and in password file respectively.
- The character "x" represents a blank or empty password.
- The character "!" represents that password is locked.
A locked password means, user is not allowed to use the password. No matter whether you type the right or wrong password, if password is locked, login attempt will be failed in every situation.
Technically, with default installation and without any change, the root account is disabled and locked in Ubuntu.
Enabling root account in Ubuntu
There are three ways to enable the root login in Ubuntu: -
- Temporary
- For CLI prompt only
- For both CLI prompt and GUI interface.
Let’s discuss these methods in detail.
Enabling root account temporary
If you only need the root account for a particular task or job, run the following command and supply the super user password to authenticate the action.
$sudo –i
Super user is the user account that we create during the installation or any other user account which we manually add in administrator group.
Disabling root account
Once specific task is finished, use the exit command to logout from the root account or simply close the terminal if you have no further task.
Enabling root account for command line (CLI prompt)
With default installation, Linux offers six independent virtual terminals (CLI) and one GUI interface. These terminals can be accessed by pressing the ALT+CTRL+F(1to7) keys.
To enable root account for CLI terminal only, use the following command: -
$sudo –i passwd root Enter new UNIX password: [Set new password for root account] Retype new UNIX password: [Confirm new password]
This command is the combination of two commands. First command unlocks the root account and second command sets password for the root account.
Once root account is unlocked and password is set, it is ready to use for CLI prompt. To confirm this, switch to any CLI terminal, and login from the root account.
Disabling root account
If root account is no longer required, you can use the following to command to disable it again.
$sudo passwd -dl root
This command makes the root password empty and enables the password lock again.
To confirm the disabling of root account, switch to CLI prompt again and login from the root account.
Enabling root account for GUI (Ubuntu Desktop)
Just like the previous method, enable the root account with the following command.
$sudo –i passwd root Enter new UNIX password: [Set new password for root account] Retype new UNIX password: [Confirm new password]
GUI (Ubuntu Desktop) has its own security layer which blocks the root account from login. So, even we have a properly enabled root account with password, it does not work in GUI interface.
Before we adjust necessary security features, let’s try to login from the root account in GUI interface with the correct password.
As we can see in above output, root account is not allowed to login.
In order to allow the root account in GUI, we have to modify the following files.
/etc/gdm3/custom.conf /etc/pam.d/gdm-password
Before update, let’s take the backup of these files. Backup copy allows us to deal from any unpleasant situation.
$mkdir bakup $cp /etc/gdm3/custom.conf backup/ $cp /etc/pam.d/gdm-password backup/
Now open the /etc/gdm3/custom.conf file with your favorite text editor.
And add the following line in the [security] directive and save the file.
AllowRoot=true
Now open the /etc/pam.d/gdm-password file.
And add the hash (#) sign in starting of the following line and save the file.
auth required pam_succeed_if.so user !=root quiet_success
Any line which starts with the # is considered as a comment line in configuration file. Shell ignores all comments when it executes a configuration file.
To apply these changes, we have to restart the system.
After restart, login from the root account again and verify that the root account is enabled.
Disabling root password
Just like the previous method, first make the root password empty and put it in lock condition again with the following command.
$sudo passwd –dl root
Now, remove the changes which we made in configuration files. If you have taken the backup of configuration files, just restore the original files back from the backup.
If you haven’t taken the backup,
Remove the "AllowRoot=true" line from the [security] directive in file /etc/gdm3/custom.conf
Remove the # sign from the starting of the following line
#auth required pam_succeed_if.so user !=root quiet_success
in file /etc/pam.d/gdm-password
Enabling and disable root login in nutshell
Requirement | To enable root account | To disable root account |
Temporary | Run the sudo –i command | Use the exit command or close the terminal |
CLI Only | Use the sudo –i passwd root command. Set root password, when it asks. | Use the sudo passwd –dl root command |
CLI & GUI both | Use the sudo –i passwd root command. Set root password, when it asks. Add the "AllowRoot=true" line in the [security] directive in file /etc/gdm3/custom.conf file. Add the # in starting of the following line auth required pam_succeed_if.so user !=root quiet_success in /etc/gdm3/custom.conf file. |
Use the sudo passwd –dl root command Remove the "AllowRoot=true" from the [security] directive in file /etc/gdm3/custom.conf file. Remove the starting # from the following auth required pam_succeed_if.so user !=root quiet_success in /etc/gdm3/custom.conf file. |
The options d and l
At end of this tutorial, let’s understand the options; –d and –l which we used with the passwd command.
-d: - This option is used to delete the user’s password. Since Linux does not allow a user to login without password, a user account with blank password is disabled automatically.
-l: - This option is used to lock the password. Once password is locked, user is not allowed to use the password.
That’s all for this tutorial. If you face any problem in enabling or disabling the root account, let me know. I will help you in this procedure. If you like this tutorial, please don’t forget to share it with friends through your favorite social site.