Do you still manage your virtual servers with the root superuser? Here are five easy steps to stop using root right now.
This post is for people with an SSH-based authentication on Fedora, CentOS, or RHEL servers. If you spin up a virtual server online, you can usually choose to use an SSH-based authentication instead of providing a password. That’s great! But the initial connection would be set up for the root superuser, and that’s not a good idea.
The first step to using root less is to stop using it to log in. You can do that by choosing a new admin account with sudo privileges and reuse the root SSH server configuration. Here’s how.
1, Choose a new account that you will use for administration (better not called it admin):
workstation$ ssh root@$SERVER_IP $ ADMIN=my_project_admin_name $ useradd $ADMIN
2, Prepare the
./ssh/authorized_keys file with the content from the existing
$ su - $ADMIN -c 'mkdir ~/.ssh' $ su - $ADMIN -c 'touch ~/.ssh/authorized_keys' $ cat /root/.ssh/authorized_keys >> /home/$ADMIN/.ssh/authorized_keys
3, Ensure the new
authorized_keys file and the
.ssh directory have expected restricted permissions.
$ chmod 700 /home/$ADMIN/.ssh $ chmod 600 /home/$ADMIN/.ssh/authorized_keys
4, Add the new user to the wheel group. It’s the group that has sudo access automatically without adding any other specific sudo configuration.
$ usermod -a -G wheel $ADMIN
5, Lock the root account:
$ sudo chage -E 0 root
At this point, you should be able to log in with the new
$ ssh my_project_admin_name@$SERVER_IP
It would be best if you also considered to lock the password of root (in case the password was set):
$ sudo passwd -l root
← IT'S OUT NOW
I wrote a complete guide on web application deployment. Ruby with Puma, Python with Gunicorn, NGINX, PostgreSQL, Redis, networking, processes, systemd, backups, and all your usual suspects.