Problem :
I would like disable logging in as root on the login prompt but it should be possible to ‘su’ to root, give password and login.
Any help will be appreciated.
Solution :
I found this which talks about the /etc/securetty file.
Obstensibly, if /etc/securetty is present on the system, but empty (quoting):
If /etc/securetty exist and is empty, root access will be restricted
to single user mode or programs that are not restricted by
pam_securetty (i.e. su, sudo, ssh, scp, sftp)
For ssh and friends you will have to edit the /etc/ssh/sshd_config file and add or uncomment a PermitRootLogin yes line.
To prevent users from logging in as root directly, edit the /etc/passwd file, changing the shell from /bin/bash to /sbin/nologin. Modify the /etc/sudoers file using visudo to grant specific users authority to perform administrative tasks.
Hint copied from here.
To disable root login modify the shell for root in /etc/passwd to /sbin/nologin either directly using an editor or using usermod -s /sbin/nologin root
Alternatively you can use passwd -l root
Once you’re logged in as a regular sudoer (user with sudo privileges) you can access a root shell by using sudo su or sudo -i