Create New User Sudo
Creating a dedicated, non-root administrator account and granting it sudo privileges is a standard Linux hardening step. It reduces reliance on the root account, improves accountability (actions are attributable to a specific user), and supports safer day-to-day operations by requiring explicit privilege elevation.
Background and history
Traditional Unix administration often used direct root logins for convenience. As systems became internet-exposed and teams grew, best practice shifted toward least privilege: administrators log in with a personal account and elevate privileges only when needed. The sudo mechanism became the widely adopted approach for controlled privilege escalation with logging and fine-grained policy.
Adoption and where it’s commonly used
Common in:
- VPS and cloud servers as part of baseline security hardening
- Production fleets managed by multiple administrators
- Compliance-oriented environments requiring audit trails
- Web servers (WordPress, application servers) where SSH is frequently targeted
Best when to use
- You are provisioning a new server and want a safe admin workflow.
- You plan to disable direct root SSH login.
- Multiple people administer the host and need individual accountability.
- You want to restrict or control privileged operations.
Not suitable when
- Your environment forbids
sudoand uses a different privileged access model. - You cannot guarantee recovery access and are not confident in SSH/root access currently available.
- Automation is tightly coupled to the root account and cannot be updated.
Compatibility notes
- On Debian/Ubuntu, admin users are commonly added to the
sudogroup. - On RHEL/Fedora/Rocky/AlmaLinux, admin users are commonly added to the
wheelgroup. - Some minimal images may not have
sudoinstalled; install it before proceeding. - OpenSSH and login behavior can differ if cloud-init creates users and disables root by default; confirm your baseline.
Do not disable root SSH login until you have confirmed the new user can log in via SSH and can successfully run sudo. Keep an existing session open while testing in a second session.
Concepts and how it works
- A Linux user account is created with a home directory and a shell.
sudopolicy (typically via/etc/sudoersand/etc/sudoers.d/) defines which users or groups can run commands as root.- Adding a user to the appropriate admin group grants privilege escalation without requiring direct root login.
Prerequisites
- Existing access as
rootor a sudo-capable user - SSH access to the server
sudoinstalled (or permission to install it)
Step 1: Confirm sudo is installed
Read-only check:
command -v sudo >/dev/null && echo "sudo present" || echo "sudo not found"
Install if missing:
Debian/Ubuntu
sudo apt update
sudo apt install sudo
RHEL/Fedora/Rocky/AlmaLinux
su -c 'dnf install sudo'
Step 2: Create the new user
Choose a username that maps to a real admin identity (for example admin, ops, or a personal username).
Create user (Debian/Ubuntu and most distros)
sudo adduser adminuser
This typically:
- creates the account
- creates
/home/adminuser - sets an initial password
- populates default shell configuration
Alternative (more manual)
sudo useradd -m -s /bin/bash adminuser
sudo passwd adminuser
Step 3: Grant sudo privileges
Debian/Ubuntu (sudo group)
sudo usermod -aG sudo adminuser
RHEL/Fedora/Rocky/AlmaLinux (wheel group)
sudo usermod -aG wheel adminuser
Verify group membership:
id adminuser
Step 4: Configure SSH key authentication (recommended)
On your local machine: generate a key (if you do not have one)
ssh-keygen -t ed25519 -a 64
Copy the key to the server
ssh-copy-id adminuser@your_server_ip
If you use a custom SSH port:
ssh-copy-id -p 2581 adminuser@your_server_ip
Step 5: Test login and sudo in a new session
Open a second terminal window and test:
ssh adminuser@your_server_ip
If using a custom port:
ssh -p 2581 adminuser@your_server_ip
Then test sudo:
sudo -v
sudo whoami
Expected:
root
Step 6: Hardening and optional policies
Require password for sudo (default and recommended for many environments)
Most distributions require the user’s password when using sudo, which improves safety.
Passwordless sudo (only when justified)
For automation users, you may grant passwordless sudo via a dedicated drop-in file, tightly scoped.
Create:
sudo visudo -f /etc/sudoers.d/adminuser
Add:
adminuser ALL=(ALL) NOPASSWD: ALL
Validate and exit.
Only use passwordless sudo for automation accounts with constrained access and well-defined command scopes. Prefer least privilege and restrict by command where possible.
Restrict sudo to specific commands (safer automation model)
Example (allow restarting a specific service only):
adminuser ALL=(root) NOPASSWD: /bin/systemctl restart php8.2-fpm
Troubleshooting
User cannot run sudo
Diagnosis:
id adminuser
sudo -l -U adminuser
Fix:
- Ensure the user is in
sudo(Debian/Ubuntu) orwheel(RHEL-based). - Ensure
/etc/sudoershas group rules enabled.
sudo: command not found
Install sudo using the distro package manager (see installation section).
SSH login fails for the new user
Check:
- Correct username and port
- Home directory exists and permissions are correct
- SSH key is installed in
~/.ssh/authorized_keys
On the server:
sudo ls -ld /home/adminuser
sudo ls -la /home/adminuser/.ssh 2>/dev/null || true
sudo tail -n 200 /var/log/auth.log 2>/dev/null || true
sudo tail -n 200 /var/log/secure 2>/dev/null || true
Security notes
- Create individual admin users for each operator instead of sharing accounts.
- Use SSH keys and protect private keys with passphrases.
- After confirming sudo access works, disable direct root SSH login.
- Consider restricting SSH to trusted IPs and enabling rate limiting/banning.
- Keep
/etc/sudoers.d/files minimal and reviewed; use least privilege.
Quick reference
| Task | Command |
|---|---|
| - | -- |
| Create user (interactive) | sudo adduser <user> |
| Create user (manual) | sudo useradd -m -s /bin/bash <user> && sudo passwd <user> |
| Grant sudo (Debian/Ubuntu) | sudo usermod -aG sudo <user> |
| Grant sudo (RHEL-based) | sudo usermod -aG wheel <user> |
| Verify groups | id <user> |
| Test sudo | sudo -v && sudo whoami |
| Install sudo (Debian/Ubuntu) | sudo apt install sudo |
| Install sudo (RHEL-based) | dnf install sudo |
Replace this note with your environment’s standard admin usernames, SSH port conventions, and approved sudo policy templates.