We have installed Rocky 9.3 on labs computer. Users can access the w/s remotely either with ssh (via Putty) or X2go or with Windows remote desktop.
How can i disable root login to graphical environment either locally or remotely?
Thank you
Maria
Isn’t it disabled already? Most hits tell how to enable it. For example: Enabling Root User For GNOME Display Manager - Fedora Project Wiki
No, root can login interactively from GUI or from text mode (pressing ALT+Ctrl+F1). I have tried this How to disable root login in GUI? - Red Hat Customer Portal (although is for RD8) seems to work but only interactively. You can still login remotely with root using x2go or Remote Desktop.
Any help is appreciate
Thank you
Maria
Not perhaps a permanent solution, but change the password for root and don’t give it to anybody. If they don’t have the password, then they cannot login as root. Force them to use their usernames, and sudo instead of using su. That way they never need the root login.
Obviously doesn’t stop them resetting the password, although you can configure sudo to not allow using the passwd command, so that can stop them resetting as well. You will also need to restrict using su with sudo as well, to stop them bypassing this way as well.
The means of root access is controlled by the files in /etc/pam.d/. “man su” also mentions other files like login.defs etc…
I’m sure what you need to know is covered in Redhats RL9 documentation which I find real hard to get to unless a link is posted here.
Google does find something with “RHEL-9 keyword” – as long as I’m “lucky” with the choice of keyword.
For example, “RHEL-9 pam_access” yields Configuring authentication and authorization in RHEL Red Hat Enterprise Linux 9 | Red Hat Customer Portal but does it have anything useful (for this case)?
PAM modules do have man-pages, but which modules to look at? The man pam_succeed_if was one. I’ve seen man pam_access too.
One should naturally start from no user having the root password, nor any sudo rights.
Then, if and only if, some user absolutely needs elevated privileges for some command, grant sudo only for each such command – no carte blanche.