Linux Admin

Add a sudo user on Ubuntu and Debian

Standard admin account setup — no daily root login required.

10 min read Beginner Updated 9 Jun 2026
Linux library Start the guide

Step-by-step guide

Work through each section in order. Stop when your issue is resolved — you do not need every step for every situation.

Warning

Adding users to sudo grants full root capability. Use individual accounts — not shared admin logins. On production servers, prefer SSH keys and disable password sudo where policy allows.

What you will achieve

Create a standard user account on Ubuntu or Debian, grant sudo privileges, and verify access — the baseline admin setup without daily root login.

1) Create user (Ubuntu — interactive)

sudo adduser deploy

Sets home directory, shell, and password interactively. Ubuntu's adduser is a friendly wrapper around user creation tools.

2) Create user (Debian — non-interactive option)

sudo adduser --disabled-password --gecos "Deploy User" deploy
sudo passwd deploy

Or with explicit shell:

sudo useradd -m -s /bin/bash deploy
sudo passwd deploy

3) Grant sudo on Ubuntu

sudo usermod -aG sudo deploy

Ubuntu uses the sudo group. Member users run sudo command after re-login.

4) Grant sudo on Debian

sudo usermod -aG sudo deploy
# or add to sudoers drop-in:
echo 'deploy ALL=(ALL:ALL) ALL' | sudo tee /etc/sudoers.d/deploy
sudo chmod 440 /etc/sudoers.d/deploy

Prefer group membership over editing /etc/sudoers directly. Use visudo if you must edit the main file.

5) Install SSH public key

sudo mkdir -p /home/deploy/.ssh
sudo cp ~/.ssh/id_ed25519.pub /home/deploy/.ssh/authorized_keys
sudo chown -R deploy:deploy /home/deploy/.ssh
sudo chmod 700 /home/deploy/.ssh
sudo chmod 600 /home/deploy/.ssh/authorized_keys

6) Verify sudo access

su - deploy
sudo -l
sudo whoami

sudo -l lists allowed commands. sudo whoami should return root. Test from a second SSH session before closing your current root session.

7) Optional: passwordless sudo for automation

echo 'deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart myapp' | \
  sudo tee /etc/sudoers.d/deploy-automation
sudo chmod 440 /etc/sudoers.d/deploy-automation

Limit NOPASSWD to specific commands — never blanket NOPASSWD:ALL on production unless you enjoy incident reports.

8) Lock down root SSH

After confirming the sudo user works, set PermitRootLogin no in /etc/ssh/sshd_config and restart ssh. Daily admin work runs through the named account — auditable and revocable without sharing root password.

Verify

id deploy
groups deploy
grep deploy /etc/group | grep sudo

User exists, home is populated, sudo group membership confirmed. SSH login as deploy with key succeeds.

Related guides

sudo ubuntu useradd

Related guides

Continue with these next if you are building a fuller setup or troubleshooting path.

Admin
Create a sudo user on Linux (not root login)
Daily admin work as a named sudo user — leave root SSH login disabled.
Read guide
Admin
Manage users and groups
Practical Linux guide: manage users and groups without the usual guesswork.
Read guide