[Trying Out DigitalOcean Droplet 1] Steps for ssh into Droplet as non-root user with sudo access
I’ve been looking for cloud options to run a long preprocessing job. DigitalOcean has piqued my interests with their well written documentation on various subjects. Last night I finally decided to sign up and test it out.
Question On Day 1: What username should I use in my very first ssh?
Answer: root
The signup, service selections, and ssh key settings are both effortless. Digital Ocean’s interface is both clean and clear. But once I set up my public key and ready to power up the server, the first thing that confused me a bit is: Wait, what user name should I be using for ssh? Luckily I am not the only user who has wondered about the same thing. With some googling, the answer is: root.
So if you already have your ssh key set up when setting your account (under security category), you can do your first login as follows:
# command 1: Your first ssh login as root
# Here xx.xxx.xxx.xxx is my Droplet's IP address (ipv4)
ssh -i ~/.ssh/rsa_key_filename root@xx.xxx.xxx.xxxGreat, you should be able to log in as root. But there is one problem — great power comes with great responsibility. For all the jobs I would like to run on this Droplet, I would really rather be a non-root user with sudo privilege. That is for day 2.
Question Day 2: How to set myself up as a non-root user with sudo privilege?
Answer: useradd is your friend, but it is a little more than just one command
Key reference: DigitalOcean Community Forum
- What is the ideal outcome?
I would like to log in as non-root with my ssh key, and to have sudo privilege
So we should at least be able to login like this:
# Command 2: Ideal log in as non-root user
ssh -i ~/.ssh/rsa_key_filename shan@xx.xxx.xxx.xxx2. How do we get there?
(1) Login as root and set up new non-root user:
# 1. log in as root
ssh -i ~/.ssh/rsa_key_filename root@xx.xxx.xxx.xxx# 2. Once logged in, set up home and .ssh directories for the new
# user; -p here is shorthand for --parent
mkdir -p /home/shan/.ssh# 3. Create authorized key file for the new user
touch /home/shan/.ssh/authorized_keys# 4. Create the new user and assign the home directory you just made
# (as root) for him/her
useradd -d /home/shan shan# 5. Add User to sudo Group
# -a is shorthand for --append: Add the user to the supplementary
# group(s). Use only with the -G option.
usermod -aG sudo shan# 6. Assign ownerships
chown -R shan:shan /home/shan/# 7. Change permissions for authorization files
# 700: user: 4(read) + 2(write) + 1(execute); group: 0 (no permission); others: 0 (no permission)
# 644: user: 4(read) + 2(write); group: 4 (read); others: 4 (read)
chmod 700 /home/shan/.ssh
chmod 644 /home/shan/.ssh/authorized_keys# 8. Set up password for new user:
passwd shan
# You'll see prompts for password setup
(2) Verify by su shan and run the following commands
# 1. switch user
su shan# 2. check if home directory is set properly
echo $HOME
Once you see your home directory being printed out successfully, you can now to go your local machine and generate your ssh key pair for this non-root user access:
[On local machine]
- Generate ssh key pairs with the following command and following the prompt. Give your key files a sensible name if there is a need to differentiate between root access and non-root access (in my case I named it
id_rsa_ocean)
ssh-keygen -a 1000 -b 4096 -C "" -E sha256 -o -t rsa[On droplet]
2. Copy and paste the content of the generated public key to your Droplet home folder: /home/shan/.ssh/authorized_keys
Done!
Great! Now you should be able to run the ssh command mentioned at the beginning of the Day 2 section:
ssh -i ~/.ssh/id_rsa_ocean shan@xx.xxx.xxx.xxx# You should see a similar prompt as below:
shan@digitaloceantest:~$
