diff --git a/cockpit.changes b/cockpit.changes
index a6cf4f4..b73c058 100644
--- a/cockpit.changes
+++ b/cockpit.changes
@@ -1,8 +1,16 @@
 -------------------------------------------------------------------
-Wed Feb 28 16:00:00 UTC 2024 - Cathy Hu <cathy.hu@suse.com>
+Mon Mar  4 13:24:23 UTC 2024 - Adam Majer <adam.majer@suse.de>
+
+- cockpit.pam: respect /etc/cockpit/disallowed-users
+  This means by default root cannot login with password to cockpit
+  (bsc#1216080)
+
+-------------------------------------------------------------------
+Thu Feb 29 16:40:06 UTC 2024 - Cathy Hu <cathy.hu@suse.com>
 
 - Remove SELinux file context for /usr/bin/cockpit-bridge, this
   is already defined in the main selinux-policy package (bsc#1220385).
+  Modified selinux_libdir.patch
 
 -------------------------------------------------------------------
 Thu Feb 15 12:21:55 UTC 2024 - Adam Majer <adam.majer@suse.de>
diff --git a/cockpit.pam b/cockpit.pam
index 7bf2ed2..8ea0366 100644
--- a/cockpit.pam
+++ b/cockpit.pam
@@ -1,5 +1,7 @@
 #%PAM-1.0
 auth substack common-auth
+# List of users to deny access to Cockpit, by default root is included.
+auth    required pam_listfile.so item=user sense=deny file=/etc/cockpit/disallowed-users onerr=succeed
 account required pam_nologin.so
 account include common-account
 password include common-password