Sometimes it doesn’t help to think twice. The other night I was changing my password on an Ubuntu system and realised too late that I was right then root after having run ‘sudo su’. So, instead of changing my own password I changed the password of the root account. By default it is not possible to log onto the system by using the root account but by changing the password I immediately lowered that bar.
So how to fix this?
Some sources say that ‘sudo passwd -l root’ is the way to go but this just locks the account. Others point to ‘sudo passwd -d root’ but that just removes the password completely. While this means that it will not be possible to log onto the system remotely since ssh prevents logons using blank passwords, it does mean that the system is wide open to anyone who can gain access to a console.
The correct method is ‘sudo usermod -p ! root’. This inserts an exclamation point in the password hash for the root account. This means that no entered password will ever match the stored hash.