How to create a sudo user in Ubuntu 18.04

If you’ve followed any of our community Linux-based tutorials, you’ve likely seen the emphasis on creating a sudo user–that is, a user that can access the root user’s privileges on the system. One of the first steps you can take to secure your servers against intrusions by bad actors is to disable the root user from logging in remotely and only use the sudo user to connect over SSH.

In this guide, we’ll step through two ways to set up your sudo user: one with a traditional password login, and the other using only an SSH key. We recommend you handle your logins through SSH keys. Not only is this more secure from an encryption standpoint, but it saves you the pain of having to remember or type out what are often lengthy and complicated passwords.

Option 1: Create a sudo user with a password

First let’s use one of Linux’s multiple ways to create a new user, and give it access to the bash shell (command line interface) all in one line:

adduser --shell /bin/bash myuser

Now we add (-a) the user to the sudo group (-G) like so:

usermod -aG sudo myuser

We’re technically done, but set up like this, the system will prompt us to enter the user’s password every time we want to enter sudo commands. Use the following combined command to pass your new user into the sudoers file along with the option to skip password prompts:

echo "myuser ALL=(ALL) NOPASSWD: ALL" | (EDITOR="tee -a" visudo)

Test your new user login with the password

You should now test your new user’s SSH capabilities. In a new terminal session, use the following command, replacing myuser with your username, and with the correct IP address:

ssh myuser@

Now test your sudo permissions like so:

sudo su -

If successful, the username at your command prompt should now change to root (or if you have a more customized shell that doesn’t display username, simply ensure you don’t get a “permission denied” error message).


Option 2: Create a sudo user with only an SSH key

This option will use steps that assume your root user already has an SSH key they use to log in.

First, create your user, replacing myuser with the desired name in the commands below:

adduser --shell /bin/bash --system --group myuser

Now create a directory for your new user’s ssh key:

mkdir /home/myuser/.ssh

SSH keys and their directories have strict permissions requirements, so let’s set the appropriate permissions on this directory now:

chmod 0700 /home/myuser/.ssh/

Copy your root user’s ssh key directory over your new user’s ssh key directory (note there is a space here between /root/.ssh and /home/myuser, telling this command the source and destination for the copying):

cp -Rfv /root/.ssh /home/myuser/

Next, change the owner and group for your new user’s home and SSH key directory as shown:

chown -Rfv myuser:myuser /home/myuser/.ssh

chown -R myuser:myuser /home/myuser

Now we’re ready to add the new user to the sudo usergroup:

gpasswd -a myuser sudo

Now use the following one-line combined command to pass your new user into the sudoers file along with the option to skip password prompts:

echo "myuser ALL=(ALL) NOPASSWD: ALL" | (EDITOR="tee -a" visudo)

Restart the SSH service. This may disrupt your connection to the server (though typically you should remain online), but at this point even if something goes wrong, we haven’t disabled root login yet so we’re not locked out of anything.

systemctl restart ssh

Test your new user login with the SSH key

You should now test your new user’s SSH capabilities by specifying the private key file on your local machine. Use the following command, replacing mykey with your key’s filename, and with the correct IP address:

ssh -i .ssh/myupkey myuser@

Now test your sudo permissions like so:

sudo su -

If successful, the username at your command prompt should now change to root (or if you have a more customized shell that doesn’t display username, simply ensure you don’t get a “permission denied” error message).


Disable root SSH login (optional but recommended)

Now that we have a working sudo user, it’s highly recommended that we prevent any SSH logins directly as root. Attempting to break into servers by guessing the root password over SSH is a favorite exploit used by malicious bots, whereas it’s much less likely anyone but you and your organization working with this server will know the sudo user’s name.

Use your preferred text editor (here we used vim) to edit the sshd_config file:

vim /etc/ssh/sshd_config

Locate the line for PermitRootLogin in the configuration file, ensure it is not commented out with a preceding #, and change the value to no like so:

#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

Restart the SSH service one more time. This time, you may be locked out if you’ve made some errors or the sudo user isn’t functioning properly, so be sure you’ve carefully  tested everything up until this point:

systemctl restart ssh

If all else fails, remember that for you can log in using the root user and password through the server console (since this bypasses SSH), and various other VPS’s and physical devices have similar console access.

Leave a Reply

Your email address will not be published. Required fields are marked *