In this short tutorial we are going to create a superuser on our RunCloud managed servers.
RunCloud is a powerful tool that makes managing your servers incredibly easy, but it can’t do everything (yet). Sometimes we will still need to log in to our servers to perform administrative tasks, or issue other commands that require root privileges. These tasks can be performed by a superuser using the sudo command.
We could log in to our remote servers as the root user, but that is considered risky and bad practice due to the ease with which the root user can alter the system. It is also considered good security practice to disable remote root login to the server by SSH, protecting it from one of the major attack vectors.
For the reasons mentioned above, it is best practice to create and utilise a superuser.
This article contains preformatted codeblocks containing code examples that can be easily cut and paste. However if you are viewing the tutorial as a Facebook Instant Article these will not be visible, due to Facebook’s policy of not supporting preformatted text. I have endeavored to include Terminal screenshots illustrating each code example for those users.
Create a System User
Go to ‘System User’ in your RunCloud management platform for each of your servers, and click ‘Create’ to add a new ‘System User’:
Click ‘Create’ to add a System User
Choose a Username for your system user. I am going to use ‘superuser’ for demonstrative purposes, choose a name you find appropriate. The more unique the name is to yourself, the less likely it is that any bad player may guess it. Remember, try not to choose basic dictionary words or general terms.
You will also need to add a password. We will be disabling password login, so this password will not be viable as a login method, but it is still advisable to choose a strong password. Security must be in depth. Even if an attacker gets into your system, they will still need to crack your password to issue any root privilege commands.
Having said that, you will also need to enter this password the first time you use the sudo command after logging in, every time. Therefore, you need a password that is both strong and memorable. There are a variety of techniques you can implement to help you, you can check out this Lifehacker Article or this Carnegie Mellon Article for more information and some ideas.
Choose a Username and strong but memorable password.
Add an SSH Key for your System User
Next, we will upload a Public SSH key from the local machine that we will be connecting to our servers from, to our System User on the RunCloud managed server.
Generate an SSH Key pair on your local machine
If you already have an SSH Key, skip to the next section.
Windows users should please follow this guide to generate their keys.
If you are using an *NIX operating system (Linux/MacOS/Unix) it is very easy. All you do to generate your SSH is run the ssh-keygen command from the terminal on your local machine. Your terminal will confirm generation of the key pair and ask where to save the keys.
$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/Users/localuser/.ssh/id_rsa):
Generate Key Pair on your local machine.
Assuming your local user is called ‘localuser’ (not very likely), then you should see an output, something like the above, in your terminal. This is the common path, my suggestion is to just hit enter to accept the path and filename.
We need to copy the public SSH key from our local machine. To do that print out your public key in the terminal using the cat command and the /path/to/your/id_rsa.pub. Like so.
$ cat ~/.ssh/id_rsa.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD0NlbKiLwqNHF/H+OcQd6ShGz34874837""";; sdkniwkajhsdkjahdssflmckjkaslfZObTqh6vhbNxTChUbrIZpICE9wqTYVIvNDRc75bM2YEXBymYpZ4ZE17WwT+ko2UsxygWC+yxwG9p348973298472lksndakashdCYxdE232n5l1hQe38VPDlEOBcti8ZRYO42XQxv0jcb86jbpbNoqO2yCfa/Aj6hJaSLcbGVdZRAijU/JCcKd7WTGIIhGWrw43q+HDLuF+9Z email@example.com
Print out your Public Key to the Terminal
Copy this to your clipboard.
Add the public SSH Key
Go to ‘SSH Keys’ in the RunCloud panel for your servers, and click ‘Create SSH Key’:
Click the button to add an SSH key for a System User
In the ‘Add SSH Key’ Panel, add a label for the Key, choose the ‘System User’ to assign the key to, and then paste you Public SSH Key, from your clipboard, into the ‘Public Key’ box:
Add your Public SSH Key to your System User
A list of all your SSH Keys, labelled and assigned to System Users.
Grant our System User administrative privileges
Administrative privileges on a UNIX-like system are reserved for the root user. However, other system users can be added to the sudo group. This allows them to run commands as administrator (root) by issuing commands preceded by sudo.
$ sudo <command>
To add your newly created ‘System User’ to the sudo group, login to your server as root and add use usermod to add your user to the sudo group. Then use the su – user command to change to your superuser and list out the groups to make sure your user belongs to the sudo group.
# usermod -aG sudo <your-system-user> # su - <your-superuser> $ groups
Add your System User to the Sudo Group to enable root privileges.
Secure the SSH Login Configuration
In your RunCloud management panel, click ‘Settings’ and scroll down to ‘SSH Config’.
Click the ‘Passwordless Login Only’ and ‘Prevent Root Login’ checkboxes, and press the ‘Save’ button:
Secure your server by disabling root and password login.
Once we have done this, we should check that our superuser can login by ssh. If everything has been configured correctly, you should be able to login as your superuser.
$ ssh <your-superuser>@<your-server-ip>
SSH Login as your superuser.
And finally, we should ensure that root login has been disabled. If you try to login as root by ssh your login attempt should be denied with a ‘Permission Denied (publickey)’ return.
$ ssh root@<your_server_ip>
Ensure root login is disabled.
That is it. From now on we can use our superuser whenever we need to login to our server and issue administrator privilege commands. We have also added an extra layer of security to our server, disrupting another attack vector that a nefarious player may target.