If you’re manually provisioning a server, you should never connect directly as root. Rather, you should create separate users with sudo capabilities, always accessing the server as the non-root user and running root commands with sudo. This setup has several key advantages. First, users can be limited on what commands they run, or what actions are taken when root. You can also audit actions, as well as easily revoke root access without rotating keys or changing a root password to which everyone has access.
When finished, you’ll have a regular user who can elevate privileges to root.
We’ll begin by creating a normal user. In this case, the user is named “globotech.”
Set the user’s password so it can connect and authenticate.
By default, all members of the “wheel” group get sudo privileges. This enables group members to run commands as the root user. Let’s add our user to this group.
usermod -aG wheel globotech
The content of /root is normally not visible to regular users. To test out our setup, let’s connect as globotech.
su -l globotech
Next, use the sudo command to gain root privileges. Sudo accepts another command that is run as root. In this case, we run the command to list the /root directory, but do so as the root user. You’ll be prompted for a password, which should be the globotech password you set up previously.
sudo ls /root
You can now log in as globotech and run any command as root. Just remember to prepend “sudo” to any command you wish to run with administrative privileges.
You now have a secure system which lets individual users gain administrative privileges. While this example lets users run specific commands, it is also possible to limit access to certain command types. You might, for instance, let some users run all commands, others only manipulate files, and still others install and remove packages. With sudo, you can create arbitrarily rich administrative access control lists for any use case you can imagine. If this guide was helpful to you, kindly share it with others who may also be interested.