Stop logging as root in 5 simple steps

Do you still manage your virtual servers with the root superuser? Here are five easy steps to stop using root right now.

This post is for people with an SSH-based authentication on Fedora, CentOS, or RHEL servers. If you spin up a virtual server online, you can usually choose to use an SSH-based authentication instead of providing a password. That’s great! But the initial connection would be set up for the root superuser, and that’s not a good idea.

The first step to using root less is to stop using it to log in. You can do that by choosing a new admin account with sudo privileges and reuse the root SSH server configuration. Here’s how.

1, Choose a new account that you will use for administration (better not called it admin):

workstation$ ssh root@$SERVER_IP
$ ADMIN=my_project_admin_name
$ useradd $ADMIN

2, Prepare the ./ssh/authorized_keys file with the content from the existing /root/.ssh/authorized_keys:

$ su - $ADMIN -c 'mkdir ~/.ssh'
$ su - $ADMIN -c 'touch ~/.ssh/authorized_keys'
$ cat /root/.ssh/authorized_keys >> /home/$ADMIN/.ssh/authorized_keys

3, Ensure the new authorized_keys file and the .ssh directory have expected restricted permissions.

$ chmod 700 /home/$ADMIN/.ssh
$ chmod 600 /home/$ADMIN/.ssh/authorized_keys

4, Add the new user to the wheel group. It’s the group that has sudo access automatically without adding any other specific sudo configuration.

$ usermod -a -G wheel $ADMIN

5, Lock the root account:

$ sudo chage -E 0 root

At this point, you should be able to log in with the new $ADMIN user:

$ ssh my_project_admin_name@$SERVER_IP

It would be best if you also considered to lock the password of root (in case the password was set):

$ sudo passwd -l root

← IT'S OUT NOW

I wrote a complete guide on web application deployment. Ruby with Puma, Python with Gunicorn, NGINX, PostgreSQL, Redis, networking, processes, systemd, backups, and all your usual suspects.

More →