Here is a guide that teaches you how to create new users with sudo privileges in Ubuntu using the Bash terminal and setting up a SSH key connection. The targeted audience is for especially server environments. So you created a Ubuntu VPS server on Digital Ocean, AWS or any other cloud provider or you already have a server running and just want to add another user. Along the guide we are also disabling the ability to login as a root user into your server. You might asking why? Here are some reasons why it’s not recommended to do so:
- Every hacker / virus knows that there is a root account. If they are blindly
attacking a system, it’s a known entry point, and very likely to be a target. This is why your root account should have logins disabled.
- Everyone makes mistakes. You’ll be in a rush, accidentally hit the wrong key, not double-check/realize the full list of files in that wildcard you just entered… eventually, you’ll be sitting at your system thinking. “Crap. I did not want to do that. How do I undo that?” It happens to the best of us. By not using the root account, you can be relatively confident that whatever you just did, did not mess up your system’s ability to operate.
- Privilege escalation — If there is a security vulnerability that’s exploited (in say, your web browser), by not running your programs as root will limit damage. If your web browser is running as root (because you logged in as root), then any security failures will have access to your entire system.
- Accountability — There is only one root account. If everything is using the root account, it’s difficult to find out who did what. This applies less in a single-user environment, but that’s still not a good argument to avoid good security practices. With something like sudo, every command that’s executed with super-user powers is logged, along with the specific user that requested it be executed.
Create a New User
Login into your server with root or an user with sudo rights and create a new user. Keep in mind that if you are using a non root user with sudo rights you have to append sudo in front of the commands.
# create new user adduser <username> # grant user sudo privileges usermod -a -G sudo <username> gpasswd -a <username> sudo
Setup a SSH Key Connection
If you don’t want to login with your password and create an extra layer of security, it is highly recommended to establish a connection via ssh keys.Please follow along the short guide in my article here:
Disable root Login
Now you are you are disabling the capabilities to login as root into your server. Be aware to test your login capabilities with the previous created user before disabling your root login!
Change this line of code
Restart the sshd demon
sudo systemctl restart sshd
You can try to login as root, it should bounce back a Permission denied error. So from now on you will use your previously created user as the main one.
Disable Password Authentication (Optional)
If all previous steps where successful, you can now disable the option to login through ssh with a password. That means on default you have the option to connect to your server with a password instead a ssh key. It’s recommended to use just ssh keys to make your system more secure. But I am aware that there are some situations where it is good to have the option. So here you have the instructions how to disable it or if the circumstances need it to enable it again. First login into your server and edit the sshd config file
sudo nano /etc/ssh/sshd_config
On the bottom of the file is a section for user specific configurations insert your username and add the PasswordAuthentication setting
Match User <username> PasswordAuthentication no
sudo systemctl restart sshd
In case you want to enable the password authentication again, just set PasswordAuthentication to yes. It is also possible to apply the config to all users with the wild card *
Match User * PasswordAuthentication no