Step One -- Root LoginTo log into your server initially, you will need to know your server's public IP address and the password for the "root" user's account. For servers on DigitalOcean, you will receive an email with your server credentials and the server's IP address.
The root user is the administrative user in a Linux environment that has very broad privileges. Because of the heightened privileges of the root account, you are actually discouraged from using it on a regular basis. This is because part of the power inherent with the root account is the ability to make very destructive changes, even by accident.
In this guide, we'll help you set up an alternative user account with a reduced scope of influence for day-to-day work. We'll teach you how to gain increased privileges during the times when you need them.
The first step is to log into your server, and the only account we start out with is the root account. We can connect to the server by using the
sshcommand in the terminal. The command will look like this:
You will most likely see a warning in your terminal window that looks like this:
The authenticity of host '126.96.36.199 (188.8.131.52)' can't be established. ECDSA key fingerpring is 79:95:46:1a:ab:37:11:8e:86:54:36:38:bb:3c:fa:c0.
Are you sure you want to continue connecting (yes/no)?
Here, your computer is basically telling you that it doesn't recognize your remote server. Since this is your first time connecting, this is completely expected.
Go ahead and type "yes" to accept the connection. Afterwards, you'll need to enter the password for the root account.
Step Two -- Change Your PasswordYou are not likely to remember the password that is currently set for your root account. You can change the password to something you will remember more easily by typing:
It will ask you to enter and confirm your new password. During this process, you will not see anything show up on your screen as you type. This is intentional and is there so that people looking over your shoulder cannot guess your password by the number of characters.
Step Three -- Create a New UserAt this point, we're prepared to add the new user account that we will use to log in from now on.
I'm going to name my user "demo", but you can select whatever name you'd like:
You will be asked a few questions, starting with the account password.
Fill out the password and, optionally, fill in any of the additional information if you would like. This is not required and you can just hit "ENTER" in any field you wish to skip.
Step Four -- Root PrivilegesNow, we have a new user account with regular account privileges. However, we may sometimes need to do administrative tasks.
To avoid having to log out of our normal user and log back in as the root account, we can set up what is known as "sudo" privileges for our normal account. This will allow our normal user to run commands with administrative privileges by putting the word "sudo" before each command.
To add these privileges to our new account, we need to use a command called
visudo. This will open a configuration file:
Scroll down until you find a section that deals with user privileges. It will look similar to this:
# User privilege specification root ALL=(ALL:ALL) ALL
While this might look complicated, we don't need to worry about that. All we need to do is add another line below it that follows the format, replacing "demo" with the user you created:
# User privilege specification root ALL=(ALL:ALL) ALL demo ALL=(ALL:ALL) ALL
After this is done, press CTRL-X to exit. You will have to type "Y" to save the file and then press "ENTER" to confirm the file location.
Step Five -- Configure SSH (Optional)Now that we have our new account, we can secure our server a little bit by modifying the configuration of SSH (the program that allows us to log in remotely).
Begin by opening the configuration file with your text editor as root:
Change SSH PortThe first option is to change the port that SSH runs on. Find the line that looks like this:
If we change this number to something in between 1025 and 65536, the SSH service on our server will look for connections on a different port. This is sometimes helpful because unauthorized users sometimes try to break into servers by attacking SSH. If you change the location, they will need to complete the extra step of sniffing it out.
If you change this value, you will need to keep in mind that your server is running on the new port. For this guide, I'll change this to
4444as a demonstration. This means that when I connect, I'll have to tell my SSH client to use this new, non-default port. We'll get to that later. For now, modify that value to your selection:
Restrict Root LoginNext, we need to find the line that looks like this:
Here, we have the option to disable root logins through SSH. This is generally a more secure setting since we can now access our server through our normal user account and escalate privileges when necessary.
You can modify this line to "no" like this if you want to disable root logins:
Explicitly Permit Certain UsersYou can go one step further and specify the exact users that you wish to be able to log into your server. Any user not on the list you configure will not be permitted to log in through SSH.
Be careful when configuring this option, as you can easily lock yourself out if you mistype your username.
For this option, you'll have to add the line yourself. You should use the following syntax. Remember to replace "demo" with the username that you configured:
When you are finished making any of the optional changes above, save and close the file using the method we went over earlier (CTRL-X, then "Y", then "ENTER").
Step Six -- Reload SSHNow that we have made our changes, we need to restart the SSH service so that it will use our new configuration.
Type this to restart SSH:
service ssh restart
Now, before we log out of the server, we should test our new configuration. We do not want to disconnect
until we can confirm that new connections can be established successfully.
Open a new terminal window. In the new window, we need to begin a new connection to our server. This time, instead of using the root account, we want to use the new account that we created.
If you changed the port number that SSH is running on, you'll need to tell your client about the new port as well. You can do this by using the
-p 4444syntax, where "4444" is the port you configured.
For the server that I showed you how to configure above, I would connect using this command. Substitute your own information where it is appropriate:
ssh -p 4444 demo@server_ip_address
You will be prompted for the new user's password that you configured. After that, you will be logged in as your new user.
Remember, if you need to run a command with root privileges, type "sudo" before it like this:
If all is well, you can exit your sessions by typing: