The first step I perform in any new server setup is to create a new sudo user and add my ssh keyfile to the new account. In this post I will walk you through this process step by step. This is crucial in any new server setup. You never want to login as root unless you absolutely have to, and you don’t want to leave your root user vulnerable. Unfortunately when you create a new droplet on Digital Ocean, you are often times logging in as root for the first time. No worries though. Here is what I do. You can follow along with the code, or simply watch the screen cast. One thing that I left out of the screen cast is deleting the ssh key from the root user once you have your new one set up. I will outline this in the steps below.
[email protected]:~# adduser murph [email protected]:~# usermod -aG sudo murph [email protected]:~# mkdir /home/murph/.ssh [email protected]:~# cp .ssh/authorized_keys /home/murph/.ssh/ [email protected]:~# chown -R murph:murph /home/murph/.ssh/
That’s it. Now we have a new user named murph who has sudo access and should be able to ssh into this machine using the same key file that we previously used for root. Of course you will want to verify this before moving onto the next step. I like to keep my current ssh session active and start a new one in case something goes wrong. From my local machine I will now try to ssh into the droplet with my new user murph.
[email protected]:~$ ssh -i ~/mysshkey.pem iliveinaterminal.com Last login: Mon Sep 2 22:01:38 2019 [email protected]:~$
And I’m in. Sweet! Now to get rid of the key file for the root user.
[email protected]:~$ sudo rm /root/.ssh/authorized_keys [sudo] password for murph: [email protected]:~$
Now to verify that root can no longer login with this key.
[email protected]:~$ ssh -i ~/themurphs.pem [email protected] The authenticity of host 'iliveinaterminal.com (220.127.116.11)' can't be established. ECDSA key fingerprint is SHA256:lJWd9YmJIe0w9jj70NtFez2AtYQ5i83L/6tZw/dKLc0. Are you sure you want to continue connecting (yes/no)? yes Failed to add the host to the list of known hosts (/home/murph/.ssh/known_hosts). [email protected]: Permission denied (publickey).
You’ll see that this time we got a permission denied. Just what we wanted. In my next post I will show you why I never leave ssh running on port 22 and how to better secure it. Here is the screen cast for adding a sudo user.