Do you still manage your virtual servers with the root superuser? Here are five easy steps to stop using root right now.
This post is for people with an SSH-based authentication on Fedora, CentOS, or RHEL servers. If you spin up a virtual server online, you can usually choose to use an SSH-based authentication instead of providing a password. That’s great! But the initial connection would be set up for the root superuser, and that’s not a good idea.
The first step to using root less is to stop using it to log in. You can do that by choosing a new admin account with sudo privileges and reuse the root SSH server configuration. Here’s how.
1, Choose a new account that you will use for administration (better not called it admin):
workstation$ ssh root@$SERVER_IP
$ ADMIN=my_project_admin_name
$ useradd $ADMIN
2, Prepare the ./ssh/authorized_keys file with the content from the existing /root/.ssh/authorized_keys:
$ su - $ADMIN -c 'mkdir ~/.ssh'
$ su - $ADMIN -c 'touch ~/.ssh/authorized_keys'
$ cat /root/.ssh/authorized_keys >> /home/$ADMIN/.ssh/authorized_keys
3, Ensure the new authorized_keys file and the .ssh directory have expected restricted permissions.
$ chmod 700 /home/$ADMIN/.ssh
$ chmod 600 /home/$ADMIN/.ssh/authorized_keys
4, Add the new user to the wheel group. It’s the group that has sudo access automatically without adding any other specific sudo configuration.
$ usermod -a -G wheel $ADMIN
5, Lock the root account:
$ sudo chage -E 0 root
At this point, you should be able to log in with the new $ADMIN user:
$ ssh my_project_admin_name@$SERVER_IP
It would be best if you also considered to lock the password of root (in case the password was set):
$ sudo passwd -l root
