Create a New Superuser on Your Droplet

Owned by Charles Wernicke
Last updated: Oct 24, 2024
3 min read

Using sudo instead of the root account enforces better security practices by limiting the amount of time spent with administrative privileges, logging actions for auditing, and protecting the system from accidental damage. It adds layers of accountability and control, especially important in environments with multiple users or administrators. All these reasons make using sudo and superuser accounts a much safer and more manageable approach.

This article describes how to create a new superuser account on a default Ubuntu droplet console.

1. Create a new super user.

a) Login as “root”.

A new droplet from Digital Ocean will only create a “root” account. Login with your only option: root.

b) Create a new user

Create a new user using the adduser command. Replace username with the desired name of the new user.

adduser username

  • The username should be all lowercase alphanumerics, and cannot exceed 32 characters.

  • Do not use spaces or punctuation in the username (except for underscores and hyphens).

  • You cannot use system-reserved or already existing usernames, such as root, bin, daemon, or nobody.

  • You’ll be prompted to fill out some details, such as the full name, room number, and other optional fields. You can either leave them blank or fill them out as needed.

  • e.g. to add a new username “admin”, the command would be: adduser admin.

c) Add the user to the sudo group

Users in the sudo group are granted superuser privileges, allowing them to run administrative commands with sudo. You will need this elevated access most of the time, but it should be minimized where possible.

To add the newly created user to the sudo group, use the following command:

usermod -aG sudo username

  • Replace username with the actual username set in Step 2, e.g. usermod -aG sudo admin

  • This command appends the user to the sudo group without removing them from any other groups they might belong to.

d) Verify the user’s membership in the sudo group

To ensure that the user was successfully added to the sudo group, you can check the groups the user is part of by running:

groups username

  • e.g. groups admin

This should return something like this (where the username “admin” was used):

  • shows that the user “admin” is a member of the “admin” and “sudo” groups.

e) Test the new superuser privileges

Login as the new user or switch to the user using:

To test that the user can use sudo privileges, run a command that requires superuser access, such as updating the apt package list:

The first time you use sudo, it will ask for the user’s password and give a warning about the use of sudo. If the command works and updates the system without issues, the user has successfully been granted superuser privileges.

2. Enable passwordless SSH access.

At this point, you should enable passwordless (public key) SSH access to the new account, and login to the new account instead of logging in as root. If your system/droplet access is somehow compromised, it will restrict the amount of access that the attacker might have.

a) Generate an ED25519 SSH Key Pair on the Client.

This is done on the client; your local machine (the one from which you’ll be connecting to the server).

  1. Open a Terminal window.

  2. Generate the key:

  • You will be prompted to specify a location to save the key pair.

  • The default location is ~/.ssh/id_ed25519.

    • You can press ENTER to accept the default or specify a different location/filename.

  • you’ll be asked for a passphrase. It's recommended to set a passphrase for added security. If you don’t want a passphrase, just press Enter twice.

Once the key pair is generated, the public key will be saved in ~/.ssh/id_ed25519.pub, and the private key will be saved in ~/.ssh/id_ed25519 (unless you changed the location or filename).

b) Copy the Public Key to the Remote Server

The public key (the half of the key that we don’t have to keep secret) needs to get copied over to the server, added specifically to the authorized_keys file for the user we just created in Step 1.

This is all done in a Terminal window (console).

  1. First, display the public key (so you can copy+paste):

  1. Next, login to your droplet as root.

  2. Change/switch the active user to the “new” user you created earlier (shown here).

  3. Select/highlight the public key, then copy the contents of the public key (displayed in step 1) to your clipboard (usually Ctrl+Shift+C). Paste it in a text file temporarily.

  4. Edit the authorized_keys file as that new user: nano $HOME/.ssh/authorized_keys

  5. Paste the public key in a new line inside the file (usually Ctrl+Shift+V).

  6. Save the file (Ctrl+X, “y” for yes, and don’t change the filename).

The key should be immediately usable, and you can now login from your client to your server as “admin” using the private key ~/.ssh/id_ed25519 in your SSH login command.

From your Client window, use:

Copyright © 2020-2024 General Bytes USA LLC