In this short tutorial we are going to create a superuser on our RunCloud managed servers.
RunCloud is a powerful tool that makes managing your servers incredibly easy, but it can’t do everything (yet). Sometimes we will still need to log in to our servers to perform administrative tasks, or issue other commands that require root privileges. These tasks can be performed by a superuser using the sudo command.
We could log in to our remote servers as the root user, but that is considered risky and bad practice due to the ease with which the root user can alter the system. It is also considered good security practice to disable remote root login to the server by SSH, protecting it from one of the major attack vectors.
For the reasons mentioned above, it is best practice to create and utilise a superuser.
Create a System User
Go to ‘System User’ in your RunCloud management platform for each of your servers, and click ‘Create’ to add a new ‘System User’:
Choose a Username for your system user. I am going to use ‘superuser’ for demonstrative purposes, choose a name you find appropriate. The more unique the name is to yourself, the less likely it is that any bad player may guess it. Remember, try not to choose basic dictionary words or general terms.
You will also need to add a password. We will be disabling password login, so this password will not be viable as a login method, but it is still advisable to choose a strong password. Security must be in depth. Even if an attacker gets into your system, they will still need to crack your password to issue any root privilege commands.
Having said that, you will also need to enter this password the first time you use the sudo command after logging in, every time. Therefore, you need a password that is both strong and memorable. There are a variety of techniques you can implement to help you, you can check out this Lifehacker Article or this Carnegie Mellon Article for more information and some ideas.
Add an SSH Key for your System User
Next, we will upload a Public SSH key from the local machine that we will be connecting to our servers from, to our System User on the RunCloud managed server.
Generate an SSH Key pair on your local machine
If you already have an SSH Key, skip to the next section.
Windows users should please follow this guide to generate their keys.
If you are using an *NIX operating system (Linux/MacOS/Unix) it is very easy. All you do to generate your SSH is run the following command from the terminal on your local machine:
Assuming your local user is called ‘localuser’ (not very likely), then you should see an output, something like the following, in your terminal:
Generating public/private rsa key pair. Enter file in which to save the key (/Users/localuser/.ssh/id_rsa):
This is the common path, my suggestion is to just hit return to accept the path and filename.
We need to copy the public SSH key from our local machine. To do that issue the following command:
$ cat ~/.ssh/id_rsa.pub
This will print out your Public Key in the terminal, something like the following:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD0NlbKiLwqNHF/H+OcQd6ShGz34874837""";; sdkniwncnOYrwyUBqkBtulfZObTqh6vhbNxTChUbrIZpICE9wqTYVIvNDRc75bM2YEXBymYpZ4ZE17WwT +ko2UsxygWC+yxwG9pwvShHw/PCYxdE232n5l1hQe38VPDlEOBcti8ZRYO42XQxv0jcb86jbpbNoqO2yC fa/Aj6hJaSLcbGVdZRAijU/JCcKd7WTGIIhGWrw43q+HDLuF+9Z email@example.com
Copy this to your clipboard.
Add the public SSH Key
Go to ‘SSH Keys’ in the RunCloud panel for your servers, and click ‘Create SSH Key’:
In the ‘Add SSH Key’ Panel, add a label for the Key, choose the ‘System User’ to assign the key to, and then paste you Public SSH Key, from your clipboard, into the ‘Public Key’ box:
Grant our System User administrative privileges
Administrative privileges on a UNIX-like system are reserved for the root user. However, other system users can be added to the sudo group. This allows them to run commands as administrator (root) by issuing commands in the following format:
$ sudo <command>
To add your newly created ‘System User’ to the sudo group, login to your server as root and issue the following command:
$ usermod -aG sudo <your-system-user>
Change user to your superuser and list out the groups to make sure your user belongs to the sudo group:
$ su - <your-superuser> $ groups
Secure the SSH Login Configuration
In your RunCloud management panel, click ‘Settings’ and scroll down to ‘SSH Config’.
Click the ‘Passwordless Login Only’ and ‘Prevent Root Login’ checkboxes, and press the ‘Save’ button:
Once we have done this, we should check that our superuser can login using SSH Keys:
$ ssh <your-superuser>@<your-server-ip>
If everything has been configured correctly, you should be able to login as a superuser:
And finally, check that root user login has been disabled:
$ ssh root@<your_server_ip>
Your login attempt should be denied with a ‘Permission Denied (publickey)’ return:
That is it. From now on we can use our superuser whenever we need to login to our server and issue administrator privilege commands. We have also added an extra layer of security to our server, disrupting another attack vector that a nefarious player may target.