Domains
Hosting
cPanel Hosting Plesk Hosting cPanel Reseller Plesk Reseller WordPress Hosting WooCommerce Hosting
Servers
VPS Server Windows VPS Dedicated Servers

How to Use Sudo on Debian, CentOS, and FreeBSD

Using a sudo user to access a server and execute commands at the root level is a very common practice among Linux and Unix Systems Administrators. This practice is often coupled with disabling direct root access to one’s server to prevent unauthorized access.

In this tutorial, we will cover the basic steps for disabling direct root access, creating a sudo user, and setting up the sudo group on CentOS, Debian, and FreeBSD.

Prerequisites

  • A newly installed Linux Server with your preferred distribution.
  • A text editor is installed on the server, whether it’s nano, vi, vim, or emacs.

Step 1: Installing Sudo

Debian

apt-get install sudo -y

CentOS

yum install sudo -y

FreeBSD

cd /usr/ports/security/sudo/ && make install clean

or

pkg install sudo

Step 2: Adding The Sudo User

sudo user is a normal user account on a Linux or Unix machine.

Debian

adduser mynewusername

CentOS

adduser mynewusername

FreeBSD

adduser mynewusername

Step 3: Adding The New User To The Wheel Group (Optional)

The wheel group is a user group that limits the number of people who can sudo to root. Adding your sudo user to the wheel group is entirely optional, but it is advisable.

Note: In Debian, the sudo group is often found instead of wheel. You can, however, manually add the wheel group using the groupadd command. For this tutorial, we will use the sudo group for Debian.

The Difference Between Wheel And Sudo

In CentOS and Debian, a user belonging to the wheel group can execute su and directly ascend to root. Meanwhile, a sudo user would have used the sudo su first. Essentially, there is no real difference except for the syntax used to become root, and users belonging to both groups can use the sudo command.

Debian

usermod -aG sudo mynewusername

CentOS

usermod -aG wheel mynewusername

FreeBSD

pw group mod wheel -m mynewusername

Step 4: Making Sure Your Sudoers File Is Setup Properly

It is important to ensure that the sudoers file located in /etc/sudoers is setup properly to allow sudo users to effectively use the sudo command. To accomplish that, we will view the contents of /etc/sudoers and edit them where applicable.

Debian

vim /etc/sudoers

or

visudo

CentOS

vim /etc/sudoers

or

visudo

FreeBSD

vim /etc/sudoers

or

visudo

Note: The visudo command will open /etc/sudoers using the system’s preferred text editor (usually vi or vim).

Start reviewing and editing below this line:

# Allow members of the group sudo to execute any command

This section of /etc/sudoers often looks like this:

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

In some systems, you may not find %wheel instead of %sudo; in which case, this would be the line under which you would start modifying.

If the line starting with %sudo in Debian or %wheel in CentOS and FreeBSD is not commented out (prefixed by #), this means that sudo is already set up and is enabled. You can then move to the next step.

Step 5: Allowing A User Who Belongs To Neither The Wheel Nor The Sudo Group To Execute The Sudo Command

It is possible to allow a user who is in neither user groups to execute the sudo command by simply adding them to /etc/sudoers as follows:

anotherusername ALL=(ALL) ALL

Step 6: Restarting the SSHD Server

To apply the changes you made to /etc/sudoers, you need to restart the SSHD Server as follows:

Debian

/etc/init.d/sshd restart

CentOS 6

/etc/init.d/sshd restart

CentOS 7

systemctl restart sshd.service

FreeBSD

/etc/rc.d/sshd start

Step 7: Testing

After you have restarted the SSH Server, log out and then log back in as your sudo user, then attempt to execute some testing commands as follows:

sudo uptime
sudo whoami

Any of the following commands will allow the sudo user to become root.

sudo su -
sudo -i
sudo -S

Notes:

  • The whoami command will return root when coupled with sudo.
  • You will be prompted to enter your user’s password when executing the sudo command unless you explicitly instruct the system not to prompt sudo users for their passwords. Please note that it is not a recommended practice.

Optional: Allowing Sudo Without Entering The User’s Password

As previously explained, this is not a recommended practice and is included in this tutorial for demonstration purposes only.

To allow your sudo user to execute the sudo command without being prompted for their password, suffix the access line in /etc/sudoers with NOPASSWD: ALL as follows:

%sudo   ALL=(ALL:ALL) ALL   NOPASSWD: ALL

Note: You need to restart your SSHD Server to apply the changes.

Step 8: Disable Direct Root Access

Now that you have confirmed that you can use your sudo user without issues, it is time for the eighth and final step, disabling direct root access.

First, open /etc/ssh/sshd_config using your favorite text editor and find the line containing the following string. It may be prefixed with a # character.

PermitRootLogin

Regardless of the prefix or the value of the option in /etc/ssh/sshd_config, you need to change that line to the following:

PermitRootLogin no

Finally, restart your SSHD Server.

Note: Do not forget to test your changes by attempting to SSH into your Server as root. If you are unable to do so, this means that you have completed all the necessary steps.

This concludes our tutorial.

We use cookies to personalize your experience. By continuing to visit this website you agree to our use of cookies

More