Create a New Superuser on Your Droplet
Using sudo
instead of the root account enforces better security practices by limiting the amount of time spent with administrative privileges, logging actions for auditing, and protecting the system from accidental damage. It adds layers of accountability and control, especially important in environments with multiple users or administrators. All these reasons make using sudo
and superuser accounts a much safer and more manageable approach.
This article describes how to create a new superuser account on a default Ubuntu droplet console.
1. Create a new super user.
a) Login as “root”.
A new droplet from Digital Ocean will only create a “root” account. Login with your only option: root
.
b) Create a new user
Create a new user using the adduser
command. Replace username
with the desired name of the new user.
adduser username
The username should be all lowercase alphanumerics, and cannot exceed 32 characters.
Do not use spaces or punctuation in the username (except for underscores and hyphens).
You cannot use system-reserved or already existing usernames, such as
root
,bin
,daemon
, ornobody
.You’ll be prompted to fill out some details, such as the full name, room number, and other optional fields. You can either leave them blank or fill them out as needed.
e.g. to add a new username “admin”, the command would be:
adduser admin
.
c) Add the user to the sudo
group
Users in the sudo
group are granted superuser privileges, allowing them to run administrative commands with sudo
. You will need this elevated access most of the time, but it should be minimized where possible.
To add the newly created user to the sudo
group, use the following command:
usermod -aG sudo username
Replace
username
with the actual username set in Step 2, e.g.usermod -aG sudo admin
This command appends the user to the
sudo
group without removing them from any other groups they might belong to.
d) Verify the user’s membership in the sudo
group
To ensure that the user was successfully added to the sudo
group, you can check the groups the user is part of by running:
groups username
e.g.
groups admin
This should return something like this (where the username “admin” was used):
shows that the user “admin” is a member of the “admin” and “sudo” groups.
e) Test the new superuser privileges
Login as the new user or switch to the user using:
To test that the user can use sudo
privileges, run a command that requires superuser access, such as updating the apt package list:
The first time you use sudo
, it will ask for the user’s password and give a warning about the use of sudo
. If the command works and updates the system without issues, the user has successfully been granted superuser privileges.
2. Enable passwordless SSH access.
At this point, you should enable passwordless (public key) SSH access to the new account, and login to the new account instead of logging in as root. If your system/droplet access is somehow compromised, it will restrict the amount of access that the attacker might have.
a) Generate an ED25519 SSH Key Pair on the Client.
This is done on the client; your local machine (the one from which you’ll be connecting to the server).
Open a Terminal window.
Generate the key:
You will be prompted to specify a location to save the key pair.
The default location is
~/.ssh/id_ed25519
.You can press ENTER to accept the default or specify a different location/filename.
you’ll be asked for a passphrase. It's recommended to set a passphrase for added security. If you don’t want a passphrase, just press
Enter
twice.
Once the key pair is generated, the public key will be saved in ~/.ssh/id_ed25519.pub
, and the private key will be saved in ~/.ssh/id_ed25519
(unless you changed the location or filename).
b) Copy the Public Key to the Remote Server
The public key (the half of the key that we don’t have to keep secret) needs to get copied over to the server, added specifically to the authorized_keys
file for the user we just created in Step 1.
This is all done in a Terminal window (console).
First, display the public key (so you can copy+paste):
Next, login to your droplet as root.
Change/switch the active user to the “new” user you created earlier (shown here).
Select/highlight the public key, then copy the contents of the public key (displayed in step 1) to your clipboard (usually Ctrl+Shift+C). Paste it in a text file temporarily.
Edit the authorized_keys file as that new user:
nano $HOME/.ssh/authorized_keys
Paste the public key in a new line inside the file (usually Ctrl+Shift+V).
Save the file (Ctrl+X, “y” for yes, and don’t change the filename).
The key should be immediately usable, and you can now login from your client to your server as “admin” using the private key ~/.ssh/id_ed25519
in your SSH login command.
From your Client window, use:
Copyright © 2020-2024 General Bytes USA LLC