Using a sudo
user to access a server and execute commands at root level is a very common practice among Linux and Unix Systems Administrator. The use of a sudo
user is often coupled by disabling direct root access to one's server in an effort to prevent unauthorized access.
In this tutorial, we will be covering the basic steps for disabling direct root access, creating a sudo user, and setting up the sudo group on CentOS, Debian, and FreeBSD.
Prerequisites
- A newly installed Linux server with your preferred distribution.
- A text editor installed on the server whether it's nano, vi, vim, emacs.
Step 1: Installing sudo
Debian
apt-get install sudo -y
CentOS
yum install sudo -y
FreeBSD
cd /usr/ports/security/sudo/ && make install clean
or
pkg install sudo
Step 2: Adding the sudo user
A sudo
user is a normal user account on a Linux or Unix machine.
Debian
adduser mynewusername
CentOS
adduser mynewusername
FreeBSD
adduser mynewusername
Step 3: Adding the new user to the wheel group (optional)
The wheel group is a user group which limits the number of people who are able to su
to root. Adding your sudo
user to the wheel
group is entirely optional, but it is advisable.
Note: In Debian, the sudo
group is often found instead of wheel
. You can however manually add the wheel
group using the groupadd
command. For the purpose of this tutorial, we will use the sudo
group for Debian.
The difference between wheel
and sudo
.
In CentOS and Debian, a user belonging to the wheel
group can execute su
and directly ascend to root
. Meanwhile, a sudo
user would have use the sudo su
first. Essentially, there is no real difference except for the syntax used to become root, and users belonging to both groups can use the sudo
command.
Debian
usermod -aG sudo mynewusername
CentOS
usermod -aG wheel mynewusername
FreeBSD
pw group mod wheel -m mynewusername
Step 4: Making sure your sudoers
file is setup properly
It is important to ensure that sudoers
file located in /etc/sudoers
is setup properly in order to allow sudo users
to effectively use the sudo
command. In order to accomplish that, we will view the contents of /etc/sudoers
and edit them where applicable.
Debian
vim /etc/sudoers
or
visudo
CentOS
vim /etc/sudoers
or
visudo
FreeBSD
vim /etc/sudoers
or
visudo
Note: The visudo
command will open /etc/sudoers
using the system's preferred text editor (usually vi or vim).
Start reviewing and editing below this line:
# Allow members of group sudo to execute any command
This section of /etc/sudoers
often looks like this:
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
In some systems, you may not find %wheel
instead of %sudo
; in which case, this would be the line under which you would start modifying.
If the line starting with %sudo
in Debian or %wheel
in CentOS and FreeBSD is not commented out (prefixed by #), this means that sudo is already setup and is enabled. You can then move to the next step.
Step 5: Allowing a user that belongs to neither the wheel
nor the sudo
group to execute the sudo
command
It is possible to allow a user that is in neither user groups to execute the sudo
command by simply adding them to /etc/sudoers
as follows:
anotherusername ALL=(ALL) ALL
Step 6: Restarting the SSHD Server
In order to apply the changes you made to /etc/sudoers
, you need to restart the SSHD server as follows:
Debian
/etc/init.d/sshd restart
CentOS 6
/etc/init.d/sshd restart
CentOS 7
systemctl restart sshd.service
FreeBSD
/etc/rc.d/sshd start
Step 7: Testing
After you have restarted the SSH server, log out and then log back in as your sudo user
, then attempt to execute some testing commands as follows:
sudo uptime
sudo whoami
Any of the below commands will allow the sudo user
to become root
.
sudo su -
sudo -i
sudo -S
Notes:
- The
whoami
command will returnroot
when coupled withsudo
. - You will be prompted to enter your user's password when executing the
sudo
command unless you explicitly instruct the system to not promptsudo users
for their passwords. Please note that is not a recommended practice.
Optional: allowing sudo
without entering the user's password
As previously explained, this is not a recommended practice and is included in this tutorial for demonstration purposes only.
In order to allow your sudo user
to execute the sudo
command without being prompted for their password, suffix the access line in /etc/sudoers
with NOPASSWD: ALL
as follows:
%sudo ALL=(ALL:ALL) ALL NOPASSWD: ALL
Note: You need to restart your SSHD server in order to apply the changes.
Step 8: Disable direct root access
Now that you have confirmed that you can use your sudo user
without issues, it is time for the eighth and final step, disabling direct root access.
First, open /etc/ssh/sshd_config
using your favorite text editor and find the line containing the following string. It may be prefixed with a #
character.
PermitRootLogin
Regardless of the prefix or the value of the option in /etc/ssh/sshd_config
, you need to change that line to the following:
PermitRootLogin no
Finally, restart your SSHD server.
Note: Do not forget to test your changes by attempting to SSH into your server as root
. If you are unable to do so, this means that you have successfully completed all the necessary steps.