This steps are performed on fresh Debian 10 installation, they can be followed on any Debian based distributions.
Login with an existing account, here it will be the user ‘arnaud‘, once logged in connect as root:
Type in the root password then, we will start by updating our repository sources and install sudo package:
apt-get update apt-get install sudo
While we are connected as root, we will had one of our existing users to sudo group to grant use of sudo special command. In this example the existing user is ‘arnaud’.
/sbin/usermod -aG sudo arnaud
This command will not return anything if both the group and the username exists.
We can now exit from our root connection.
The user ‘arnaud‘ is now member for the ‘sudo‘ group but we must logoff from that account and login back for this last change to apply.
We can login back immediately and check that we have been granted ‘sudo’ access.
This should display the list of groups the account is member of, including ‘sudo’ group.
Additional step, only if you can access your server locally (even if you need to connect a screen and keyboard to it later): Disable SSH root access explicitly by editing the file “/etc/ssh/sshd_config“
sudo nano /etc/ssh/sshd_config
Find the line “#PermitRootLogin yes“, remove the symbol “#” to un-comment the line and replace the final “yes” by “no“. The line should be now: “PermitRootLogin no“
Then restart SSH service to apply the new configuration.
sudo service sshd restart
Now what about the existing ‘root’ user ? Where a lot of people recommend to disable it completely or other recommend to lock it. I will suggest you to simply change the password for a really strong password. Strong enough to be annoying to type to reduce the like of using it just because you can. Force yourself and any other users to prefix their commands with ‘sudo’ when superuser permissions are required. Why ? Because one day, something, for some reasons, will go bad and that day you will realise that only the root account can fix the problem and if you are impaired of the direct root access then you will beat yourself up for disabling it. My root passwords are all 32 characters long mixed cases, digits, special characters. The only thing that prevents me to use them: complexity. I use a password manager to store them just for the day I will need them.
More resources on SUDO and its possibility will come soon.