scottnunemacher/digitalocean-create-sudo-sftp-ssh-user.md

## digitalocean-create-sudo-sftp-ssh-user.md

      
    Raw
  

              digitalocean-create-sudo-sftp-ssh-user.md
            
          
    DigitalOcean Create sudo SFTP/SSH user

WARNING Create a snapshot before doing any changes!!!
Example new user data:

Username: exampleuser
Password: examplepassword
Home: /home/exampleuser/
IP: exa.mp.le.ip

Create user:

adduser exampleuser
creates:
Adding user `exampleuser' ...
Adding new group `exampleuser' (1000) ...
Adding new user `exampleuser' (1000) with group `exampleuser' ...
Creating home directory `/home/exampleuser' ...
Copying files from `/etc/skel' ...
New password: 
Retype new password: 
passwd: password updated successfully
Changing the user information for exampleuser
Enter the new value, or press ENTER for the default
  Full Name []:
  Room Number []:
  Work Phone []:
  Home Phone []:
  Other []:
Is the information correct? [Y/n] y

Type y to accept.
Add exampleuser to sudo group

usermod -aG sudo exampleuser
Backup sudoers file

cp -p /etc/sudoers /etc/sudoers.ORIG
Limit all sudoers to prevent sudo su

WARNING Use visudo and not nano. Nano will make the server fail!!!
visudo -f /etc/sudoers
  change:
  # Cmnd alias specification

  to:
  # Cmnd alias specification
  Cmnd_Alias DISABLE_SU = /bin/su

  change:
  %sudo   ALL=(ALL:ALL) ALL

  to:
  %sudo   ALL=(ALL:ALL) ALL, !DISABLE_SU

Enable SSH password authentication

WARNING Use vim and not nano. Nano will make the server fail!!!
vim /etc/ssh/sshd_config
  change:
  PasswordAuthentication no

  to:
  PasswordAuthentication yes

Restart SSH service:

sudo systemctl restart sshd
Test SSH login access for sudo user.

ssh exampleuser@exa.mp.le.ip
Try sudo su

Test sudo su to see if you receive an error message should the user attempt to elevate their priveliges.
sudo su
Should receive:
Sorry, user exampleuser is not allowed to execute '/usr/bin/su' as root on exampledomain.com.

Done