Code Trips & Tips

, ,

Adding a new sudoer in Ubuntu

This is something I have to do from time to time, but not frequently enough that I manage to memorize it – but trivial enough that it annoys me to have to look it up every time. Here’s to future memory: create a new user `bob` sudo adduser bob check that the `admin` group is…

Marco
3 minutes
This is something I have to do from time to time, but not frequently enough that I manage to memorize it – but trivial enough that it annoys me to have to look it up every time.
Here’s to future memory:
  1. create a new user `bob`
    sudo adduser bob
  2. check that the `admin` group is the one for the ‘sudoers’ on the machine
    sudo cat /etc/sudoers
  3. add Bob to the admin group
    sudo addgroup bob admin
done!

Optionally, to allow `bob` to execute `sudo` without having to type up the password every time the permission window expires, you can add the following to/etc/sudoers:

bob ALL=NOPASSWD: ALL

Disabling SSH root access

Incidentally, always worth disabling SSH root access for the machine: it’s the one account hackers know for a fact it must be there, and the one they’ll try to crack – the additional positive side-effect is that, at the first attempt to ssh as root, they’ll be left hanging waiting for a response from sshd, which is nice.
Unless you have already done so, you must first create your own personal account and add yourself to the sudoers, as shown above – then try that this all Works As Intended, by logging out from ssh, logging back in as `bob` and executing a harmless, but root-only-allowed command:
ssh -l bob server
bob@server:~$ whoami
bob
 
bob@server:~$ sudo touch /etc/blah
Password:    <------ NOTE: this is Bob's password, NOT root's
 
bob@server:~$ ls -l /etc/blah
-rw-r--r-- 1 root root 0 2011-11-12 13:28 /etc/blah  <-- NOTE `root` owner
 
bob@server:~$ sudo rm /etc/blah
 
bob@server:~$ ls -l /etc/blah
ls: cannot access /etc/blah: No such file or directory
 
bob@server:~$ groups
bob admin
Now that we know we can manage our instance from the safety of a non-root account, we can disable SSH access to root: head straight for the sshd (SSH daemon) configuration file and find the line below, change it to “no“:
bob@server:~$ sudo vim /etc/ssh/sshd_config 
 
PermitRootLogin no
save the file and you’re done.
Try it out: logout, try ssh root@server and you will see it just hangs there – enjoy that warm fuzzy feeling induced by the knowledge that the hacker’s machine will be just equally sitting there, like a clueless idiot, just waiting for a response that’ll never come.

Sugarcoating: passwordless access & short-name resolving

Your server may have a name such as bob.remote.server.blah.foobar.com – typing this every time you want to ssh into it may grow pretty thin after a few times: just add a line to your /etc/hosts file on your box (remember, you have to do this as root):
$ sudo vim /etc/hosts
##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting.  Do not change this entry.
##
127.0.0.1                   localhost
255.255.255.255         broadcasthost
::1                localhost 
fe80::1%lo0             localhost
# This is the line to add, if the IP is assigned statically:
110.22.8.111       bob.remote.server.blah.foobar.com  bob.remote


This way, you can just log into your remote host using:

ssh -l bob bob.remote

However, you still will be asked for your password every time you want to SSH into that instance: to avoid this, you will need to create a private/public key pair, and upload the public key to your RS instance’s authorized_keys file (more details here).

On your box:

$ ssh-keygen -t rsa
DO NOT ENTER a passphrase, but protect the private key:

$ chmod 600 .ssh/id_rsa
$ ls ~/.ssh
total 32
drwx------   5 marco  staff   170B Oct 26 13:26 .
drwxr-xr-x+ 39 marco  staff   1.3K Nov 11 16:30 ..
-rw-------   1 marco  staff   1.6K Oct 26 13:24 id_rsa
-rw-------@  1 marco  staff   401B Oct 26 13:24 id_rsa.pub
-rw-r--r--   1 marco  staff   4.4K Nov 10 15:55 known_hosts
$ cat ~/.ssh/id_rsa.pub
(Copy the key into your clipboard)

$ ssh -l bob bob.remote
Password:     <-- You WILL be asked for the password

[bob@bob.remote:~]$ vim .ssh/authorized_keys
# this may be empty, that's ok
# Paste the key and save the file; if this creates the file, make sure it's only writeable by you
[bob@bob.remote:~]$ chmod 600 .ssh/authorized_keys
[bob@bob.remote:~]$ exit

$ ssh -l bob bob.remote

Welcome to Ubuntu 11.04 (GNU/Linux 2.6.35.4-rscloud x86_64)
* Documentation:  https://help.ubuntu.com/

Last login: Sat Nov 12 16:21:51 2011 from 12.90.36.218

Look, ma, no password!

One response to “Adding a new sudoer in Ubuntu”

  1. Bradley Russo Avatar
    Bradley Russo

    Thanks for this blog poost

    Reply

Leave a comment

Trending