Home / ubuntu / Questions / 16650
Accepted
Oli
Asked: 2010-12-09 08:01:55 +0800 CST

Create a new SSH user on Ubuntu Server

  • 772

Just created a new virtual Ubuntu server and I'm in the process of hardening it for production use. I currently have a root account. I want to do the following:

  • Create a new user (let's call them jim for the rest of this). I want them to have a /home/ directory.
  • Give jim SSH access.
  • Allow jim to su to root but not perform sudo operations.
  • Turn off root SSH access.
  • Move SSHd off to a non-standard port to help stop brute-attacks.

My problem lies with the first two items. I've already found useradd but for some reason, I can't log in as a user created with it over SSH. Do I need to beat SSHd to allow this?

server ssh users

9 Answers

  1. SSH is very picky about the directory and file permissions. Make sure that:

    1. The directory /home/username/.ssh has permission "700" and is owned by the user (not root!)
    2. The /home/username/ssh/authorized_keys has permission "600" and is owned by the user

    Copy your public key into the authorized_keys file.

    sudo chown -R username:username /home/username/.ssh
sudo chmod 0700 /home/username/.ssh
sudo chmod 0600 /home/username/.ssh/authorized_keys

    There is NO need to add the user to /etc/ssh/ssh_config.

    • 131
  2. Best Answer

    Edit (as root) /etc/ssh/sshd_config. Append the following to it:

    Port 1234
PermitRootLogin no
AllowUsers jim

    Port 1234 causes SSH to listen on port 1234. You can use any unused port from 1 to 65535. It's recommended to choose a privileged port (port 1-1024) which can only be used by root. If your SSH daemon stops working for some reason, a rogue application can't intercept the connection.

    PermitRootLogin disallows direct root login.

    AllowUsers jim allows user jim to login through SSH. If you do not have to login from everywhere, you can make this more secure by restricting jim to an IP address (replace 1.2.3.4 with your actual IP address):

    AllowUsers [email protected]

    Changes to the configuration file /etc/ssh/sshd_config are not immediately applied, to reload the configuration, run:

    sudo service ssh reload
    • 109

  3. There will be clues in /var/log/auth.log for why SSH (or PAM) is rejecting the login attempt. Additional clues may be found by using the -v option with the ssh client. Several common situations, some mentioned in the other answers:

    • the user account lacks a password, or is otherwise disabled (see man passwd, try resetting the password or checking the contents of /etc/shadow).
    • /etc/ssh/sshd_config is configured to disallow the login (DenyUsers, AllowUsers, PasswordAuthentication, PubkeyAuthentication, UsePAM etc, see man sshd_config).
    • the user's shell is not listed in /etc/shells.
    • various permission problems on directories or files related to SSH operation: /etc/ssh, /home/jim/.ssh, /home/jim/.ssh/*, etc.

    I'd also recommend using adduser (instead of useradd) for adding new users; it is a little more friendly about various default account settings.

    As long as the user is not part of the admin group, they will not be able to sudo to root. For them to use su, you will need to set a root password (passwd root), after which I recommend setting PermitRootLogin=no in /etc/ssh/sshd_config.

    • 14

  4. I could be wrong but I always have to install the server daemon before I can connect (At least on desktop) ssh is installed by default but that is just the client

    this command installs the server

    sudo apt-get install openssh-server

    You can change the port and stop root login by editing

    /etc/ssh/sshd_config

    This requires you to restart the service though.

    sudo service ssh restart

    • 11

  5. Jim will not have SSH access until you have set a password. As root execute:

    grep -i "jim" /etc/shadow | awk -F':' '{ print $2 }'

    If this command returns a "!" character then login is disabled for this account. Executing passwd jim as root will prompt you for a new and confirmed password string after which the grep command above should return a hashed string representing the password for jim.

    Also be sure to verify that jim has a login shell, set by default, and a home directory that exists.

    Please note lekensteyn's post for information on modifying SSH server settings.

    • 10

  6. In my case I had a group which was allowed access and the user was not part of it. This solved it for me.

    Using the example above with the user jim and assume member of group jim as it's only group (issue groups command while logged in as jim to find groups you are a part of). In my /etc/ssh/sshd_config file I had AllowGroups sshusers entry and thus needed to add jim to the sshusers group. Below is how this would be accomplished:

    usermod -a -G sshusers jim

    Replace your group and user as appropriate for your configuration.

    • 5

  7. There might be some instances that the PasswordAuthentication is disabled by default.

    Kindly check /etc/ssh/sshd_config and ensure that the PasswordAuthentication attribute is set to yes.

    • 0

  8. @Lekensteyn I'm unable to leave a comment to the question answer because I don't have the reputation - but I tried appending

    AllowUsers existingUser,newUser

    to my /etc/ssh/sshd_config file and now I can no longer ssh with both my existingUser or the newUser.

    • 0

  9. Simple note:

    The public key should be written inside this file:

    /home/newUsername/.ssh/authorized_keys
    • 0