Java Reference
In-Depth Information
That's the safest way to allow root access for yourself, and not for the millions
of hostile attackers who are eyeing your system at this very moment.
Securing Root Access
You might already be set up to use
sudo
. Log in to your server and try running
some simple command (like
id
, which just reports who you are) using
sudo
:
Remote $
sudo id
[sudo] password for andy:
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),
4(adm),6(disk),10(wheel)
It worked! This machine is already set up so that I can
sudo
. But on a machine
that isn't set up, you'll get this scary warning:
andy is not in the sudoers file. This incident will be reported.
Yikes! Sounds like the cops will come after us. Have no fear: it's only logging
the attempt to a log file. All it means is that you have to add your name to
the permissions file for
sudo
.
To do that, log in as root and add the following line to the bottom of the file
/etc/sudoers
(
nano
is a convenient editor to use over SSH; we'll cover how to install
that and more in the next section):
andy
ALL=(ALL)
ALL
But use your username, not “andy”—unless your username actually is Andy.
Save the file and try to use
sudo
again.
Once you can successfully
ssh
in without a password, and you can use
sudo
to do things as root, then you can turn off the use of passwords and not allow
root to
ssh
in directly.
Now obviously that sounds a little dangerous, as you could accidentally lock
yourself out of the computer. To help prevent that, open one window and log
in to your server as root. Leave that window open and leave it alone, then
open a second window to start changing settings. In case you mess up and
can't log in or
sudo
for some reason, you have this window still open—as root,
the Great and Powerful—as a backup.
In your new window, log in as root and edit the file
/etc/ssh/sshd_config
. You want
to find these two lines and uncomment them, or change them to read
no
:
PasswordAuthentication no
PermitRootLogin no
