Você pode desativar a conta root com sudo passwd -l root
. A edição do arquivo sshd_config afeta somente logins ssh. Isso desativa su -
, já que a senha não é conhecida por ninguém.
de man passwd
:
-l, --lock
Lock the password of the named account. This option disables a password by changing it to a value which matches no possible encrypted value (it adds a ´!´ at the
beginning of the password).
Note that this does not disable the account. The user may still be able to login using another authentication token (e.g. an SSH key). To disable the account, administrators should use usermod --expiredate 1 (this set the account's expire date to Jan 2, 1970).
Users with a locked password are not allowed to change their password.