ServicesAboutGuidesGet Started
FedoraLinuxUser Management

Adding a New User on Fedora 44+

Create a named account on a fresh Fedora 44+ server — starting from the root user that cloud providers like Vultr drop you into by default. Covers account creation, initial password, an optional forced reset on first login, sudo via the wheel group, and SSH key authentication.

⚠️

Why named accounts matter: Many cloud providers (Vultr, DigitalOcean, Linode) create VMs with only a root account. Logging in and working as root has no audit trail — every action is indistinguishable from every other. Named accounts with sudo give you accountability, traceability, and least-privilege access. This guide gets you off root as quickly as possible.

All commands in this guide are run as root. The examples use jbusch (Jared Busch) as the new username — substitute your own wherever you see it.

Step 1 — Set the Username Variable

Define a shell variable for the new username. Every command below references it, so you only need to change one line.

bash
NEWUSER="jbusch"
💡

This variable exists only for the current shell session. If you disconnect and reconnect, set it again before running any of the commands below.

Step 2 — Create the User Account

Create the system account with a home directory, a full name, and bash as the default shell.

bash
useradd -m -c "Jared Busch" -s /bin/bash $NEWUSER
  • -m creates the home directory at /home/$NEWUSER
  • -c "Jared Busch" sets the GECOS comment field — this is how the full name is stored on Linux
  • -s /bin/bash sets bash as the login shell

Step 3 — Set an Initial Password

Set the initial password for the account. You will be prompted to enter it twice.

bash
passwd $NEWUSER
💡

The password will not echo to the terminal as you type — this is normal. Enter it once, press Enter, then enter it again to confirm.

Step 4 — Force Password Reset on First Login (Optional)

If you are creating this account for someone else, you can require them to choose their own password the first time they log in.

bash
chage -d 0 $NEWUSER

Setting the last-password-change date to 0 (epoch) tells PAM that the password has never been changed, which triggers a forced reset at the next successful login.

💡

Skip this step if you are setting up your own account or if the user will authenticate exclusively with an SSH key and never needs to type a password.

Step 5 — Grant Sudo Privileges

On Fedora, sudo access is granted by membership in the wheel group. The /etc/sudoers file already includes a rule for it — no additional configuration or package installation is required.

bash
usermod -aG wheel $NEWUSER
💡

Debian and Ubuntu use a group named sudo instead of wheel, and sudo itself may not be installed on a minimal Debian image (apt install sudo). On Fedora both the package and the wheel rule are present by default.

Step 6 — Set Up SSH Key Authentication

Create the .ssh directory, set the correct permissions, and add the user's public key.

bash
mkdir -p /home/$NEWUSER/.ssh
touch /home/$NEWUSER/.ssh/authorized_keys
chown -R $NEWUSER:$NEWUSER /home/$NEWUSER/.ssh
chmod 700 /home/$NEWUSER/.ssh
chmod 600 /home/$NEWUSER/.ssh/authorized_keys

Open the authorized_keys file and paste the user's public key (the contents of their .pub file):

bash
nano /home/$NEWUSER/.ssh/authorized_keys

Paste the public key on a single line, then save with Ctrl+O, Enter, and exit with Ctrl+X.

⚠️

Permissions are critical. SSH silently rejects key authentication if ownership or permissions are wrong. The .ssh directory must be 700 and authorized_keys must be 600. Since root created these files, the chown step is required — SSH will reject the key if the files are owned by root even if the permissions look correct.

Verify the Account

Before closing your root session, confirm that the new account can log in and use sudo. Open a second SSH session (keep your root session open as a fallback) and log in as the new user.

Once logged in, verify sudo access:

bash
sudo whoami

The output should be root. If it is, the account is fully operational.

💡

Do not close your root session until you have confirmed the new account works. If something is misconfigured and you close root before verifying, you may lock yourself out of the server.

Additional Notes

Hardening SSHD

Once your named account is working, you should harden the SSH daemon — at minimum disabling password authentication entirely and blocking direct root login. Leaving either enabled is a significant security risk on any internet-facing server. See the Hardening SSHD: Key-Only Auth and No Root Login guide for the complete walkthrough.

Checking Group Membership

To confirm the user was added to wheel correctly:

bash
id $NEWUSER

The output should include wheel in the groups list.

Reversing the Forced Password Reset

If you applied the forced reset in Step 4 and want to undo it (for example, you set it by mistake), reset the last-change date to today:

bash
chage -d $(date +%Y-%m-%d) $NEWUSER