How to add sudo command on a ‘pure’ Debian system
Disabling root access and force the use of an unprivileged user to ssh on a Linux box is a best practice.
Here how to let the users use ‘sudo’ command, disable the login using password and force the use of a SSH key and disable the password request to issue ‘sudo’ command.
Install sudo and configure the user login
If you didn’t when installed the OS install sudo. It’s easy as:
# apt install sudo
Now create a user and add it to the ‘sudo’ group:
# adduser thenewuser# adduser thenewuser sudo
If you created a user (let’s say “my_user”) during the install process, you can add it to the sudo gorup using the second command:
# adduser my_user sudo
Now the new user can use the sudo command.
A little customisation for the sudo users
The users’ and groups’ sudo privileges are defined in the /etc/sudoers
file. This file allows you to grant customized access to the commands and set custom security policies.
This file is write-protected by default also for the root user: to change it use only visudo
command to edit the file.
This command checks the file for syntax errors when you save it. If there are any errors, the file is not saved. If you edit the file with a regular text editor, a syntax error may result in losing the sudo access.
To grant the privilege to the sudo group members to execute commands without password, add the line at the end of the file:
%sudo ALL=(ALL) NOPASSWD: ALL
Generate SSH key, disable the use of password
To generate a SSH key to login: using the device you will use as client to connect to the new Debian box generate a SSH key, on a *nix based client this is the command:
$ ssh-keygen -t rsa
Now we are ready to “publish” the public key on our new Debian box: there are 2 ways, you can manually copy the public key on the box and modify the ‘authorized_keys’ by hand or (and this is my preferred solution) you can use this command:
$ ssh-copy-id my_user@box.ip
Now we are going to setup sshd
to authenticate only with a valid SSH key, users won’t be able to authenticate with a password.
Edit the file /etc/ssh/sshd_config
and set:
PasswordAuthentication no
PubkeyAuthentication yes