Create a new SSH user on Ubuntu Server

  • Just created a new virtual Ubuntu server and I'm in the process of hardening it for production use. I currently have a root account. I want to do the following:

    • Create a new user (let's call them jim for the rest of this). I want them to have a /home/ directory.
    • Give jim SSH access.
    • Allow jim to su to root but not perform sudo operations.
    • Turn off root SSH access.
    • Move SSHd off to a non-standard port to help stop brute-attacks.

    My problem lies with the first two items. I've already found useradd but for some reason, I can't log in as a user created with it over SSH. Do I need to beat SSHd to allow this?

    Hi! I can help you in servers, I don't know what is your problem with SSH, because for me with default config never refuses my connection. You may see *man 5 nologin*, this writes, that if /etc/nologin exists, you can log in with root only. Try login normally, then write the results.

    What's the user's shell? Is it /bin/bash? Check that out in /etc/password. Make sure it's not /dev/null or /bin/false.

    Yes LFC_fan, or /etc/nologin too. Use (sudo) cat /etc/passwd | grep jim

    @B. Roland I do have a `/etc/nologin` file but it's empty. I deleted it and restarted ssh but it's still just responding `Permission denied, please try again.` when I try and log in.

    @LFC_fan it's /bin/bash

    Here's the passwd line: `jimx:1000:1000::/home/jim:/bin/bash`

    Did you make a typo? There should really be a `:` between `jim` and `x`. Why would you allow `su` to root, but disallow `sudo`?

    Lekensteyn: yeah it's a typo. User isn't really called `jim` so I've been editing it.. Obviously got carried away there.

    Can you clarify your third point? Why would you allow root with su, but disallow sudo?

  • Lekensteyn

    Lekensteyn Correct answer

    10 years ago

    Edit (as root) /etc/ssh/sshd_config. Append the following to it:

    Port 1234
    PermitRootLogin no
    AllowUsers jim
    

    Port 1234 causes SSH to listen on port 1234. You can use any unused port from 1 to 65535. It's recommended to choose a privileged port (port 1-1024) which can only be used by root. If your SSH daemon stops working for some reason, a rogue application can't intercept the connection.

    PermitRootLogin disallows direct root login.

    AllowUsers jim allows user jim to login through SSH. If you do not have to login from everywhere, you can make this more secure by restricting jim to an IP address (replace 1.2.3.4 with your actual IP address):

    AllowUsers [email protected]
    

    Changes to the configuration file /etc/ssh/sshd_config are not immediately applied, to reload the configuration, run:

    sudo service ssh reload
    

    +1: Note: these instructions are still applicable to newer versions of Ubuntu (e.g. 13.04). If you do want `root` login, however, (perhaps you're still setting up the server), you must set `PermitRootLogin` to `yes` and also add `root` to `AllowUsers`.

    what's the password for this user?

    My VPS comes with a root password for SSH login on port 22. Appending the answer to sshd_config results in root being unable to log in. Is this because I also used port 22 for jim, or is there some other reason?

    @Wolfpack'08 The `PermitRootLogin no` option works exactly as advertised and applies to all logins on any port.

    @Lekensteyn I've found just adding a new user to Ubuntu itself creates an ssh account for that user.... `useradd -m -G sudo,adm -s /bin/bash mecharok` and `passwd mecharok`

    @Wolfpack'08 Use `AllowUsers username1,username2` to restrict SSH logins to those users. Ensure that `sshd` is reloaded. If this does not help, please create a new question.

    @Lekensteyn Yeah, good point. Makes it more secure.

    If SSH area not created when adding user -> `sudo su --login jim` and then execute `ssh-keygen` (creates ".ssh" directory & id_rsa and id_rsa.pub for new user Jim - with proper permissions) OP may also want to restrict private key usage with a password here as well. Or, conversely, if you use 'puttygen' to create private key, you can create it with a password. (Then copy bit it tells you to `authorized_keys`).

    actually, you don't need to do the `/etc/ssh/sshd_config` modification

    @Lekensteyn your command: `AllowUsers username1,username2` has the wrong format and will lock you out of your server!! The correct command to set is: `AllowUsers username1 username2`

  • SSH is very picky about the directory and file permissions. Make sure that:

    1. The directory /home/username/.ssh has permission "700" and is owned by the user (not root!)
    2. The /home/username/ssh/authorized_keys has permission "600" and is owned by the user

    Copy your public key into the authorized_keys file.

    sudo chown -R username:username /home/username/.ssh
    sudo chmod 0700 /home/username/.ssh
    sudo chmod 0600 /home/username/.ssh/authorized_keys
    

    There is NO need to add the user to /etc/ssh/ssh_config.

    My problem was chown, I created `~./ssh` as root and never gave the user ownership.

    My problem was that I was trying to use `/root/.ssh/authorized_keys` instead of `/home/bob/.ssh/authorized_keys`.

    I can confirm: on our VPS hosting there was no need to edit `ssh_config`. Setting up that directory and file was enough.

    For me it had to be chmod 755 /home/username/.ssh otherwise it wouldn't work.

    Much easier to login as user (or `sudo su --login {user}`) and run `ssh-keygen` -> The ".ssh" folder, key+cert and permissions are completed. Just create authorized_keys as per your instructions.

    Can I restrict user to particular dir access ?

  • There will be clues in /var/log/auth.log for why SSH (or PAM) is rejecting the login attempt. Additional clues may be found by using the -v option with the ssh client. Several common situations, some mentioned in the other answers:

    • the user account lacks a password, or is otherwise disabled (see man passwd, try resetting the password or checking the contents of /etc/shadow).
    • /etc/ssh/sshd_config is configured to disallow the login (DenyUsers, AllowUsers, PasswordAuthentication, PubkeyAuthentication, UsePAM etc, see man sshd_config).
    • the user's shell is not listed in /etc/shells.
    • various permission problems on directories or files related to SSH operation: /etc/ssh, /home/jim/.ssh, /home/jim/.ssh/*, etc.

    I'd also recommend using adduser (instead of useradd) for adding new users; it is a little more friendly about various default account settings.

    As long as the user is not part of the admin group, they will not be able to sudo to root. For them to use su, you will need to set a root password (passwd root), after which I recommend setting PermitRootLogin=no in /etc/ssh/sshd_config.

    Thanks a lot for great answer- specially "adduser" helped a lot!

  • I could be wrong but I always have to install the server daemon before I can connect (At least on desktop) ssh is installed by default but that is just the client

    this command installs the server

    sudo apt-get install openssh-server

    You can change the port and stop root login by editing

    /etc/ssh/sshd_config

    This requires you to restart the service though.

    sudo service ssh restart

    This is a virtual server (VPS) so SSH is installed by default. It's my only interface to the server. And you can reload configuration via `sudo /etc/init.d/ssh reload` instead, but good information nonetheless.

  • Jim will not have SSH access until you have set a password. As root execute:

    grep -i "jim" /etc/shadow | awk -F':' '{ print $2 }'
    

    If this command returns a "!" character then login is disabled for this account. Executing passwd jim as root will prompt you for a new and confirmed password string after which the grep command above should return a hashed string representing the password for jim.

    Also be sure to verify that jim has a login shell, set by default, and a home directory that exists.

    Please note lekensteyn's post for information on modifying SSH server settings.

    "If this command returns a "!" character then login is disabled for this account" Note this doesn’t mean you can’t SSH; only that you can’t do it with a password (vs. with your public key).

  • In my case I had a group which was allowed access and the user was not part of it. This solved it for me.

    Using the example above with the user jim and assume member of group jim as it's only group (issue groups command while logged in as jim to find groups you are a part of). In my /etc/ssh/sshd_config file I had AllowGroups sshusers entry and thus needed to add jim to the sshusers group. Below is how this would be accomplished:

    usermod -a -G sshusers jim
    

    Replace your group and user as appropriate for your configuration.

    you should improve your answer by referencing to a source that better explains your example or by adding relevant information basing your example on OP's original question. for example, the user specified `jim` as a dummy user to help provide context. the article here explains it well.

  • There might be some instances that the PasswordAuthentication is disabled by default.

    Kindly check /etc/ssh/sshd_config and ensure that the PasswordAuthentication attribute is set to yes.

  • @Lekensteyn I'm unable to leave a comment to the question answer because I don't have the reputation - but I tried appending

    AllowUsers existingUser,newUser
    

    to my /etc/ssh/sshd_config file and now I can no longer ssh with both my existingUser or the newUser.

    I understand your pain :D I had the same issue once. Solution: `AllowUsers [email protected]* [email protected]*`

License under CC-BY-SA with attribution


Content dated before 6/26/2020 9:53 AM