Skip to main content

How to Use Sudo on Debian, CentOS, and FreeBSD

Using a sudo user to access a server and execute commands at root level is a very common practice among Linux and Unix Systems Administrator. The use of a sudo user is often coupled by disabling direct root access to one's server in an effort to prevent unauthorized access.
In this tutorial of www.vcclhosting.com blog, we will be covering the basic steps for disabling direct root access, creating a sudo user, and setting up the sudo group on CentOS, Debian, and FreeBSD.

Prerequisites

Step 1: Installing sudo

Debian

apt-get install sudo -y

CentOS

yum install sudo -y

FreeBSD

cd /usr/ports/security/sudo/ && make install clean
or
pkg install sudo

Step 2: Adding the sudo user

sudo user is a normal user account on a Linux or Unix machine.

Debian

adduser mynewusername

CentOS

adduser mynewusername

FreeBSD

adduser mynewusername

Step 3: Adding the new user to the wheel group (optional)

The wheel group is a user group which limits the number of people who are able to su to root. Adding your sudo user to the wheel group is entirely optional, but it is advisable.
Note: In Debian, the sudo group is often found instead of wheel. You can however manually add the wheel group using the groupadd command. For the purpose of this tutorial, we will use the sudo group for Debian.

The difference between wheel and sudo.

In CentOS and Debian, a user belonging to the wheel group can execute su and directly ascend to root. Meanwhile, a sudo user would have use the sudo sufirst. Essentially, there is no real difference except for the syntax used to become root, and users belonging to both groups can use the sudo command.

Debian

usermod -aG sudo mynewusername

CentOS

usermod -aG wheel mynewusername

FreeBSD

pw group mod wheel -m mynewusername

Step 4: Making sure your sudoers file is setup properly

It is important to ensure that sudoers file located in /etc/sudoers is setup properly in order to allow sudo users to effectively use the sudo command. In order to accomplish that, we will view the contents of /etc/sudoers and edit them where applicable.

Debian

vim /etc/sudoers
or
visudo

CentOS

vim /etc/sudoers
or
visudo

FreeBSD

vim /etc/sudoers
or
visudo
Note: The visudo command will open /etc/sudoers using the system's preferred text editor (usually vi or vim).
Start reviewing and editing below this line:
# Allow members of group sudo to execute any command
This section of /etc/sudoers often looks like this:
# Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL
In some systems, you may not find %wheel instead of %sudo; in which case, this would be the line under which you would start modifying.
If the line starting with %sudo in Debian or %wheel in CentOS and FreeBSD is not commented out (prefixed by #), this means that sudo is already setup and is enabled. You can then move to the next step.

Step 5: Allowing a user that belongs to neither the wheel nor the sudo group to execute the sudo command

It is possible to allow a user that is in neither user groups to execute the sudo command by simply adding them to /etc/sudoers as follows:
anotherusername ALL=(ALL) ALL

Step 6: Restarting the SSHD Server

In order to apply the changes you made to /etc/sudoers, you need to restart the SSHD server as follows:

Debian

/etc/init.d/sshd restart

CentOS 6

/etc/init.d/sshd restart

CentOS 7

systemctl restart sshd.service

FreeBSD

/etc/rc.d/sshd start

Step 7: Testing

After you have restarted the SSH server, log out and then log back in as your sudo user, then attempt to execute some testing commands as follows:
sudo uptime sudo whoami
Any of the below commands will allow the sudo user to become root.
sudo su - sudo -i sudo -S
Notes:
  • The whoami command will return root when coupled with sudo.
  • You will be prompted to enter your user's password when executing the sudo command unless you explicitly instruct the system to not prompt sudo users for their passwords. Please note that is not a recommended practice.

Optional: allowing sudo without entering the user's password

As previously explained, this is not a recommended practice and is included in this tutorial for demonstration purposes only.
In order to allow your sudo user to execute the sudo command without being prompted for their password, suffix the access line in /etc/sudoers with NOPASSWD: ALL as follows:
%sudo ALL=(ALL:ALL) ALL NOPASSWD: ALL
Note: You need to restart your SSHD server in order to apply the changes.

Step 8: Disable direct root access

Now that you have confirmed that you can use your sudo user without issues, it is time for the eighth and final step, disabling direct root access.
First, open /etc/ssh/sshd_config using your favorite text editor and find the line containing the following string. It may be prefixed with a # character.
PermitRootLogin
Regardless of the prefix or the value of the option in /etc/ssh/sshd_config, you need to change that line to the following:
PermitRootLogin no
Finally, restart your SSHD server.
 For more support please Create account at www.vcclhosting.com and mail us support@vcclhosting.com
Labels:

Comments

Post a Comment

Popular posts from this blog

Now Intel® Core™ i7-8700 Hexa-Core Coffee Lake Servers available

                   Intel® Core™ i7-8700 Hexa-Core Coffee Lake incl. Hyper-Threading Technology Servers are available at www.vcclhosting.com and www.vcclcloud.com .         High Speed and extra Storage space with Hyper threading technology gives extra powerful speedy server ,Start today and power up your business with VCCL Dedicated Servers. Dedicated Root Server Pricing SERVER CPU RAM DISK LOCATION PRICING ORDER DS1-Intel®Core™i7-6700 Quad-Core Skylake 32 GB DDR4 SSD 2x500 GB EUROPE $125/mo CONFIGURE DS2-Intel®Core™i7-6700 Quad-Core Skylake 32 GB DDR4 HHD 2x4 TB EUROPE $145/mo CONFIGURE DS3-Intel®Core™i7-6700 Quad-Core Skylake 64 GB DDR4 SSD 2x 250 GB EUROPE $165/mo CONFIGURE DS4-Intel®Core™i7-6700 Quad-Core Skylake 64 GB DDR4 HHD 2x 2 TB EUROPE $185/mo CONFIGURE DS5-AMD Ryzen 7 1700X Quad-Core "Summit Ridge" 64 GB DDR4 SSD 2x 500 GB EUROPE $199/mo CONFIGURE DS6-Intel® Xeon® E3-1270 v3 Quad-Core Haswell 32 GB DDR4 HHD 4x 10 TB EUROPE $ 145/m
2 comments
Read more

Know more about Nich Cloud ..

Overview In this article we will take a step back from my typical technical discussions and how-to guides to think about the path that lies ahead of us, in our industry. Today we have a very polarizing environment, similar in fact to the US political system.  On one side you have extremely customized on-premise environments that serve specific purpose or business niches but on the whole are hard, if not impossible to maintain and very costly. On the other side you have generic public cloud, infrastructure that always works (well almost, nothing is perfect), scales and is available at click of a button with predictable pricing structure but doesn’t fit specific purpose by default. The industry has for many years recognized these worlds were growing further apart and defined the solution as hybrid cloud management to manage them or even bridge the worlds. But gluing two polarized worlds together was only ever destined to fail. Hybrid cloud, which often drags with it the management,
Post a Comment
Read more

How to SSH to the VM instance in OpenStack

Alright, so now you have purchased Dedicated Server at www.vcclhosting.com and OpenStack installed and running. Now what? Of course the first thing you want to do is create a Virtual Machine Instance you can play with. But hold your ponies little boy, you might want to read on first, as you might not be able to connect to any of your VMs if you did not read carefully! Common Mistake! It is a common behavior of a new OpenStack user upon logging into dashboard to create a new instance via the menu w/o setting up a new Key Pair first. If you didn't attach a key pair in your VM instance, you will not be able to connect to it! So the first thing you might want to do is create a new Key Pair. This is basically a PEM file that you are going to use in able to authenticate to the server instead of shoving your usename/password in the SSH console. Wtf is PEM? PEM is a file format that may consist of a certificate (aka. public key), a private key or indeed both concatenated to
Post a Comment
Read more