It could be a matter of personal preference, so that is also what this answer will be.
The following is considered being done with the root user till it’s stated otherwise.
I for one always secure my setup - to me this means that you authenticate with SSH keys to your server and not with password authentication.
Please read this great tutorial from the DigitalOcean tutorial archive on how to set it up correctly.
One thing not mentioned in that tutorial is how to disable root login via SSH. This is done to additionally secure your server setup.
To do so, edit your /etc/ssh/sshd_config
config file:
- nano /etc/ssh/sshd_config
… and change the PermitRootLogin
setting to no
:
PermitRootLogin no
When you’re done editing, press CTRL+X
and Y
to save your changes.
Remember to restart the SSH daemon after you made the changes.
When I have a secure setup, I always add a new user and give this user sudo rights.
For starters, you issue the command (remember to replace username
with whatever username you’d like):
This will create a user with the username your provided as the second argument.
Secondly, you need to give the user some sudo rights. I do this by adding the user to a sudoers.d file
- nano /etc/sudoers.d/username
Put in the following into that file:
username ALL=(ALL) NOPASSWD: ALL
When you’re done editing, press CTRL+X
and Y
to save your changes.
Now, notice that the user has a NOPASSWD
setting which allows the user to use sudo privileges without providing a password. This can be considered unsafe, but with the new secure SSH settings I believe that will suffice.
Now, the sudoers file needs the right permissions:
- chmod 0440 /etc/sudoers.d/username
Now you should switch to your new user and add your public SSH key to the users authorized_keys file. To switch to that user, use the su
command:
Now you’re working as the new user. The new user doesn’t have any local SSH settings, which means we need to create the ~/.ssh/authorized_keys
file manually.
Create the directory first:
Now, create and edit the authorized_keys
file and paste in your public key
- nano ~/.ssh/authorized_keys
When you’re done editing, press CTRL+X
and Y
to save your changes.
Now you should be able to connect from your local machine with your private key to the new user.
From here you can do sudo installs from your new user.
This is my preferred method of doing it.