Creating a Superuser on your RunCloud managed servers

Creating a Superuser on your RunCloud managed servers

In this short tutorial we are going to create a superuser on our RunCloud managed servers.

RunCloud is a powerful tool that makes managing your servers incredibly easy, but it can’t do everything (yet). Sometimes we will still need to log in to our servers to perform administrative tasks, or issue other commands that require root privileges. These tasks can be performed by a superuser using the sudo command.

We could log in to our remote servers as the root user, but that is considered risky and bad practice due to the ease with which the root user can alter the system. It is also considered good security practice to disable remote root login to the server by SSH, protecting it from one of the major attack vectors.

For the reasons mentioned above, it is best practice to create and utilise a superuser.

Create a System User

Go to ‘System User’ in your RunCloud management platform for each of your servers, and click ‘Create’ to add a new ‘System User’:

RunCloud System Users Panel

Click ‘Create’ to add a System User

Choose a Username for your system user. I am going to use ‘superuser’ for demonstrative purposes, choose a name you find appropriate. The more unique the name is to yourself, the less likely it is that any bad player may guess it. Remember, try not to choose basic dictionary words or general terms.

You will also need to add a password. We will be disabling password login, so this password will not be viable as a login method, but it is still advisable to choose a strong password. Security must be in depth. Even if an attacker gets into your system, they will still need to crack your password to issue any root privilege commands.

Having said that, you will also need to enter this password the first time you use the sudo command after logging in, every time. Therefore, you need a password that is both strong and memorable. There are a variety of techniques you can implement to help you, you can check out this Lifehacker Article or this Carnegie Mellon Article for more information and some ideas.

Create System User in RunCloud

Choose a Username and strong but memorable password.

Add an SSH Key for your System User

Next, we will upload a Public SSH key from the local machine that we will be connecting to our servers from, to our System User on the RunCloud managed server.

Generate an SSH Key pair on your local machine

If you already have an SSH Key, skip to the next section.

Windows users should please follow this guide to generate their keys.

If you are using an *NIX operating system (Linux/MacOS/Unix) it is very easy. All you do to generate your SSH is run the following command from the terminal on your local machine:

$ ssh-keygen

Assuming your local user is called ‘localuser’ (not very likely), then you should see an output, something like the following, in your terminal:

Generating public/private rsa key pair.
Enter file in which to save the key (/Users/localuser/.ssh/id_rsa):

This is the common path, my suggestion is to just hit return to accept the path and filename.

We need to copy the public SSH key from our local machine. To do that issue the following command:

$ cat ~/.ssh/id_rsa.pub

This will print out your Public Key in the terminal, something like the following:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD0NlbKiLwqNHF/H+OcQd6ShGz34874837""";;
sdkniwncnOYrwyUBqkBtulfZObTqh6vhbNxTChUbrIZpICE9wqTYVIvNDRc75bM2YEXBymYpZ4ZE17WwT
+ko2UsxygWC+yxwG9pwvShHw/PCYxdE232n5l1hQe38VPDlEOBcti8ZRYO42XQxv0jcb86jbpbNoqO2yC
fa/Aj6hJaSLcbGVdZRAijU/JCcKd7WTGIIhGWrw43q+HDLuF+9Z local_user@computer.local

Copy this to your clipboard.

Add the public SSH Key

Go to ‘SSH Keys’ in the RunCloud panel for your servers, and click ‘Create SSH Key’:

SSH Key Panel in RunCloud

Click the button to add an SSH key for a System User

In the ‘Add SSH Key’ Panel, add a label for the Key, choose the ‘System User’ to assign the key to, and then paste you Public SSH Key, from your clipboard, into the ‘Public Key’ box:

Add an SSH Key in RunCloud

Add your Public SSH Key to your System User

SSH Keys in RunCloud

A list of all your SSH Keys, labelled and assigned to System Users.

Grant our System User administrative privileges

Administrative privileges on a UNIX-like system are reserved for the root user. However, other system users can be added to the sudo group. This allows them to run commands as administrator (root) by issuing commands in the following format:

$ sudo <command>

To add your newly created ‘System User’ to the sudo group, login to your server as root and issue the following command:

$ usermod -aG sudo <your-system-user>

Change user to your superuser and list out the groups to make sure your user belongs to the sudo group:

$ su - <your-superuser>
$ groups

Like so:

Add your System User to the Sudo Group to enable root privileges.

Add your System User to the Sudo Group to enable root privileges.


Secure the SSH Login Configuration

In your RunCloud management panel, click ‘Settings’ and scroll down to ‘SSH Config’.

Click the ‘Passwordless Login Only’ and ‘Prevent Root Login’ checkboxes, and press the ‘Save’ button:

Disable Root and Password Login

Secure your server by disabling root and password login.

Once we have done this, we should check that our superuser can login using SSH Keys:

$ ssh <your-superuser>@<your-server-ip>

If everything has been configured correctly, you should be able to login as a superuser:

Login as a your superuser.


And finally, check that root user login has been disabled:

$ ssh root@<your_server_ip>

Your login attempt should be denied with a ‘Permission Denied (publickey)’ return:

Ensure root login is disabled.


That is it. From now on we can use our superuser whenever we need to login to our server and issue administrator privilege commands. We have also added an extra layer of security to our server, disrupting another attack vector that a nefarious player may target.

One response to “Creating a Superuser on your RunCloud managed servers”

  1. Post is empty (“Loading”)?

Leave a Reply

Your email address will not be published. Required fields are marked *