Creating a Superuser on your RunCloud managed servers

Creating a Superuser on your RunCloud managed servers

In this short tutorial we are going to create a superuser on our RunCloud managed servers.

RunCloud is a powerful tool that makes managing your servers incredibly easy, but it can’t do everything (yet). Sometimes we will still need to log in to our servers to perform administrative tasks, or issue other commands that require root privileges. These tasks can be performed by a superuser using the sudo command.

We could log in to our remote servers as the root user, but that is considered risky and bad practice due to the ease with which the root user can alter the system. It is also considered good security practice to disable remote root login to the server by SSH, protecting it from one of the major attack vectors.

For the reasons mentioned above, it is best practice to create and utilise a superuser.

This article contains preformatted codeblocks containing code examples that can be easily cut and paste. However if you are viewing the tutorial as a Facebook Instant Article these will not be visible, due to Facebook’s policy of not supporting preformatted text. I have endeavored to include Terminal screenshots illustrating each code example for those users.

Create a System User

Go to ‘System User’ in your RunCloud management platform for each of your servers, and click ‘Create’ to add a new ‘System User’:

RunCloud System Users PanelClick ‘Create’ to add a System User

Choose a Username for your system user. I am going to use ‘superuser’ for demonstrative purposes, choose a name you find appropriate. The more unique the name is to yourself, the less likely it is that any bad player may guess it. Remember, try not to choose basic dictionary words or general terms.

You will also need to add a password. We will be disabling password login, so this password will not be viable as a login method, but it is still advisable to choose a strong password. Security must be in depth. Even if an attacker gets into your system, they will still need to crack your password to issue any root privilege commands.

Having said that, you will also need to enter this password the first time you use the sudo command after logging in, every time. Therefore, you need a password that is both strong and memorable. There are a variety of techniques you can implement to help you, you can check out this Lifehacker Article or this Carnegie Mellon Article for more information and some ideas.

Create System User in RunCloudChoose a Username and strong but memorable password.

Add an SSH Key for your System User

Next, we will upload a Public SSH key from the local machine that we will be connecting to our servers from, to our System User on the RunCloud managed server.

Generate an SSH Key pair on your local machine

If you already have an SSH Key, skip to the next section.

Windows users should please follow this guide to generate their keys.

If you are using an *NIX operating system (Linux/MacOS/Unix) it is very easy. All you do to generate your SSH is run the ssh-keygen command from the terminal on your local machine. Your terminal will confirm generation of the key pair and ask where to save the keys.

$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/localuser/.ssh/id_rsa):

Generate Key Pair on your local machineGenerate Key Pair on your local machine.

Assuming your local user is called ‘localuser’ (not very likely), then you should see an output, something like the above, in your terminal. This is the common path, my suggestion is to just hit enter to accept the path and filename.

We need to copy the public SSH key from our local machine. To do that print out your public key in the terminal using the cat command and the /path/to/your/id_rsa.pub. Like so.

$ cat ~/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD0NlbKiLwqNHF/H+OcQd6ShGz34874837""";;
sdkniwkajhsdkjahdssflmckjkaslfZObTqh6vhbNxTChUbrIZpICE9wqTYVIvNDRc75bM2YEXBymYpZ4ZE17WwT+ko2UsxygWC+yxwG9p348973298472lksndakashdCYxdE232n5l1hQe38VPDlEOBcti8ZRYO42XQxv0jcb86jbpbNoqO2yCfa/Aj6hJaSLcbGVdZRAijU/JCcKd7WTGIIhGWrw43q+HDLuF+9Z local_user@computer.local

Print out your Public Key to the TerminalPrint out your Public Key to the Terminal

Copy this to your clipboard.

Add the public SSH Key

Go to ‘SSH Keys’ in the RunCloud panel for your servers, and click ‘Create SSH Key’:

SSH Key Panel in RunCloudClick the button to add an SSH key for a System User

In the ‘Add SSH Key’ Panel, add a label for the Key, choose the ‘System User’ to assign the key to, and then paste you Public SSH Key, from your clipboard, into the ‘Public Key’ box:

Add an SSH Key in RunCloudAdd your Public SSH Key to your System User

SSH Keys in RunCloudA list of all your SSH Keys, labelled and assigned to System Users.

Grant our System User administrative privileges

Administrative privileges on a UNIX-like system are reserved for the root user. However, other system users can be added to the sudo group. This allows them to run commands as administrator (root) by issuing commands preceded by sudo.

$ sudo <command>

To add your newly created ‘System User’ to the sudo group, login to your server as root and add use usermod to add your user to the sudo group. Then use the su – user command to change to your superuser and list out the groups to make sure your user belongs to the sudo group.

# usermod -aG sudo <your-system-user>
# su - <your-superuser>
$ groups

Add your System User to the Sudo Group to enable root privileges.Add your System User to the Sudo Group to enable root privileges.

Secure the SSH Login Configuration

In your RunCloud management panel, click ‘Settings’ and scroll down to ‘SSH Config’.

Click the ‘Passwordless Login Only’ and ‘Prevent Root Login’ checkboxes, and press the ‘Save’ button:

Disable Root and Password LoginSecure your server by disabling root and password login.

Once we have done this, we should check that our superuser can login by ssh. If everything has been configured correctly, you should be able to login as your superuser.

$ ssh <your-superuser>@<your-server-ip>

SSH Login as your superuser.

And finally, we should ensure that root login has been disabled. If you try to login as root by ssh your login attempt should be denied with a ‘Permission Denied (publickey)’ return.

$ ssh root@<your_server_ip>

Ensure root login is disabled.

That is it. From now on we can use our superuser whenever we need to login to our server and issue administrator privilege commands. We have also added an extra layer of security to our server, disrupting another attack vector that a nefarious player may target.

Proper server and system security is a top priority with RunCloud. We employ best practices and tried and trusted technologies to ensure that any RunCloud managed server is safe from bad players. If you haven’t already, sign up for your free trial with RunCloud today and enjoy unparalled security and amazing convenience.

Ready to get started?

Start your free trial today.

Start My 5-Days Free Trial no credit card required

2 responses to “Creating a Superuser on your RunCloud managed servers”

  1. Post is empty (“Loading”)?

  2. Sanjib says:

    thanks for the short tutorial, but in this short tutorial have you not explain regarding the change password ofsuperuser

Leave a Reply

Your email address will not be published. Required fields are marked *