CentOS 7 add new user with root privileges

ssh centos terminal sshd
80,271

Solution 1

I am reading this tutorial, and trying to create a new user with root privileges and then block root access via ssh in a CentOS 7 server. The problem is that the new user is blocked from doing root actions like nano /etc/sudoers. Also, I seem unable to remove the block of root login. So my pre-existing open root session is the only access I have to root functionality until it terminates. How can I successfully add root permissions to the newuser? And how can I successfully turn on/off root login?

  1. Strictly speaking, the real use of sudo is to configure the execution of certain specific commands to certain specific users or groups. The way sudo is distributed and configured in some distributions can be somewhat misleading because to become the root user, we can just type su - without involving sudo. This requires the entry of the password for the user, root, and not the user's password. So you could have used this.
  2. Try to never use anything except visudo to directly edit /etc/sudoers. Otherwise you could break authentication altogether until you change its permissions back to 0400 (which you cannot do after you log out without utilizing a rescue system of some sort). (The editor used by visudo can be controlled by the VISUAL environment variable. To use it with nano, one option is VISUAL=nano visudo.)
  3. The new user already can become root (point 1), but to let this user become root though sudo, just add the user to the right group. On CentOS 7, the traditional group name of wheel was used to allow members of that group to become root via sudo: usermod -a -G wheel codemedic. Use man usermod for more details. You can determine this group name by reading the configuration file: cat /etc/sudoers.
  4. To deny access to root via SSH, edit /etc/ssh/sshd_config and make sure that only one uncommented instance of PermitRootLogin is available and set it to a value of no: PermitRootLogin no. Save the file and restart the Secure Shell daemon: systemctl restart sshd.

Note that I edited /etc/sudoers because /usr/sbin/visudo did not work.

How does visudo not work?

Solution 2

The way CentoOS grants root(all) privileges to a user is by putting them in the wheel group. This is what happens when you make a user account and select the box that makes that user an Administrator.

You can put a user in a group with:

sudo usermod -aG wheel username

To disable an account from logging in, including the root account you can lock it by setting a non usable password.

sudo passwd -l username

Solution 3

These steps worked for me.

Add user:

useradd user

Add password:

passwd user

Add following line to the /etc/sudoers file by using the command visudo:

user ALL=(ALL)       ALL

or, for becoming root without having to enter a password, 

ALL ALL=(ALL) NOPASSWD:ALL

Then, switch to that user

su user

and ask for root privileges:

sudo su -

Enter password for new user:

[sudo] password for user:
Share:
80,271

Related videos on Youtube

RabT
Author by

RabT

Updated on September 18, 2022

Comments

  • RabT
    RabT over 1 year

    I am reading this tutorial, and trying to create a new user with root privileges and then block root access via ssh in a CentOS 7 server. The problem is that the new user is blocked from doing root actions like nano /etc/sudoers. Also, I seem unable to remove the block of root login. So my pre-existing open root session is the only access I have to root functionality until it terminates. How can I successfully add root permissions to the newuser? And how can I successfully turn on/off root login?

    Here is what I have so far:

    In /etc/sudoers, I have: 

    ## Allow root to run any commands anywhere
root    ALL=(ALL)   ALL
newusername  ALL=(ALL)  ALL

    Note that I edited /etc/sudoers because /usr/sbin/visudo did not work.

    In /etc/ssh/sshd_config I have PermitRootLogin yes because I want to turn root login back on until I can get newusername to have root privileges. Also, the last line of the file is AllowUsers newusername.

    I then typed systemctl reload sshd.service because /etc/init.d/sshd reload threw an error on CentOS 7.

    The problem is that currently newusername does not have root privileges and yet I am not able to login as root either. So my pre-existing connection as root is my only way of controlling the machine.

    EDIT #1

    I was able to give the new user sudo privileges with gpasswd -a newusername wheel, but I still cannot log in as root even though I have PermitRootLogin yes in /etc/ssh/sshd_config. How can I get CentOS 7 to respect the settings in /etc/ssh/sshd_config? I should be able to turn root login on and then off again at will, and have the settings actually work.

    • text
      text over 9 years
      Anytime you change the contents of sshd_config you will need to either reboot your system or restart the sshd daemon.
    • RabT
      RabT over 9 years
      @mdpc the server is on a remote network. i am logging into it via ssh. Do I have to get someone at the physical location of the server to restart the sshd daemon? I am concerned that running systemctl stop/start sshd.service remotely via ssh would cause my connection to close after the stop and before the start, thus locking me out.
    • eyoung100
      eyoung100 about 9 years
      For that matter, /etc/sudoersshould not be edited unless using visudo
  • RabT
    RabT almost 9 years
    Thank you and +1 for taking the time to write an informative answer.
  • RabT
    RabT about 7 years
    Your response is similar to the gpasswd -a newusername wheel in the 2014 edit to the OP above. Technically, sudo only lets users do some root operations. There are still certain commands which a sudoer cannot execute unless they su - to actually become root. I think a good answer would describe how to create the someuser account privileges that would enable them to perform any command if another user elevates to that account via su - someuser. But I am giving this +1 because you took the time to respond to an old posting. Thank you.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

SSH Connection Refused In CentOS?
Cannot ssh into VirtualBox CentOS 7 guest from Debian host
iptables prevents connection via ssh after port change despite ACCEPT rule
SSH: connection reset after idle for some time
How to suppress debug2 messages during SSH session?
Change default path for when I SSH in to CentOS server?
Installing fail2ban on CentOS 7
SSH Agent loses identity while restart machine
How to do SSH agent forwarding on Mac terminal?
SSHD Gives error could not open Authorized Keys, although permissions seem correct