![\"Add](\"http:\/\/blog.staginginstance.com\/wp-content\/uploads\/2018\/04\/linux-security-300x169.jpg\")
<\/p>\n<\/p>\n
Why the need to add new users in linux? Well, we often work on a project with a large team having number of developers coding, deploying the code to the server constantly. Most of the team i have noticed uses single ssh key to log into the server. And that is definitely a security concern. Suppose if key gets compromised from one of the developer’s system during a hack or something, then your app can be hacked easily, which i am sure no team want.<\/p>\n
To avoid this situation, we can easily setup different linux users with different ssh keys to login with restricted access. This way even if one of the keys are compromised you won’t lose your server access and you can just delete user with ease.<\/p>\n
newuser<\/code>\u00a0account to the system (with an entry in the\u00a0\/etc\/passwd<\/code>\u00a0file). This command also creates a group and a home directory for the account.\n[ec2-user ~]$ sudo adduser <\/strong><\/code><\/pre>\n[Ubuntu] When adding a user to an Ubuntu system, include the\u00a0--disabled-password<\/code>option with this command to avoid adding a password to the account.<\/p>\n[ubuntu ~]$ <\/code>sudo<\/span> adduser newuser<\/code><\/em><\/code><\/strong> --disabled-password<\/code><\/pre>\n<\/li>\n- Switch to the new account so that newly created files have the proper ownership.\n
[ec2-user ~]$ <\/code>sudo<\/span> su - newuser<\/code><\/em><\/code><\/strong> <\/code><\/pre>\n[newuser ~]$<\/code><\/code><\/pre>\nNotice that the prompt changes from\u00a0ec2-user<\/code>\u00a0to\u00a0newuser<\/code>\u00a0to indicate that you have switched the shell session to the new account.<\/li>\n- Create a\u00a0
.ssh<\/code>\u00a0directory in the\u00a0newuser<\/code>\u00a0home directory and change its file permissions to\u00a0700<\/code>\u00a0(only the owner can read, write, or open the directory).\n[newuser ~]$ <\/code>mkdir<\/span> .ssh<\/code><\/strong> <\/code><\/pre>\n[newuser ~]$ <\/code>chmod<\/span> 700<\/span> .ssh<\/code><\/strong><\/code><\/pre>\n\nImportant:\u00a0<\/strong>Without these exact file permissions, the user will not be able to log in.<\/p>\n<\/div>\n<\/li>\n- Create a file named\u00a0
authorized_keys<\/code>\u00a0in the\u00a0.ssh<\/code>\u00a0directory and change its file permissions to\u00a0600<\/code>\u00a0(only the owner can read or write to the file).\n[newuser ~]$ <\/code>touch<\/span> .ssh\/authorized_keys<\/code><\/strong> <\/code><\/pre>\n[newuser ~]$ <\/code>chmod<\/span> 600<\/span> .ssh\/authorized_keys<\/code><\/strong><\/code><\/pre>\n\nImportant:\u00a0<\/strong>Without these exact file permissions, the user will not be able to log in.<\/p>\n<\/div>\n<\/li>\n- Open the\u00a0
authorized_keys<\/code>\u00a0file using your favorite text editor (such as\u00a0vim<\/b>\u00a0or\u00a0nano<\/b>).\n[newuser ~]$ <\/code>nano<\/span> .ssh\/authorized_keys<\/code><\/strong><\/code><\/pre>\nPaste the public key for your key pair into the file and save the changes. For example:<\/p>\n
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClKsfkNkuSevGj3eYhCe53pcjqP3maAhDFcvBS7O6V\r\nhz2ItxCih+PnDSUaw+WNQn\/mZphTk\/a\/gU8jEzoOWbkM4yxyb\/wB96xbiFveSFJuOp\/d6RJhJOI0iBXr\r\nlsLnBItntckiJ7FbtxJMXLvvwJryDUilBMTjYtwB+QhYXUMOzce5Pjz5\/i8SeJtjnV3iAoG\/cQk+0FzZ\r\nqaeJAAHco+CY\/5WrUBkrHmFJr6HcXkvJdWPkYQS3xqC0+FmUZofz221CBt5IMucxXPkX4rWi+z7wB3Rb\r\nBQoQzd8v7yeb7OzlPnWOyN0qFU0XA246RA8QFYiCNYwI3f05p6KLxEXAMPLE<\/code><\/pre>\nThe user should now be able to log into the\u00a0newuser<\/code>\u00a0account on your instance using the private key that corresponds to the public key that you added to the\u00a0authorized_keys<\/code>\u00a0file.<\/p>\nSo this was easy right?<\/li>\n<\/ul>\n
To remove a user from the system<\/b><\/h5>\n
If a user account is no longer needed, you can remove that account so that it may no longer be used. When you specify the\u00a0-r<\/code>\u00a0option, the user’s home directory and mail spool are deleted. To keep the user’s home directory and mail spool, omit the\u00a0-r<\/code>\u00a0option.<\/p>\n[ec2-user ~]$ <\/code>sudo<\/span> userdel -r olduser<\/code><\/em><\/code><\/strong><\/code><\/pre>\nNow we need to setup appropriate permissions to our newly create user. This can be done by creating linux group.<\/p>\n
Steps to PROVIDE READ\/WRITE permissions on a folder to a linux user:<\/h5>\n