- Create a new SSH user on Ubuntu Server
- 9 Answers 9
- Создание пользователя и SSH ключей
- Выдержка из офф. документации:
- Вырианты команд для работы с SSH в Windows:
- # Частые проблемы
- Create New User And Add SSH Login In Linux Server
- Create a new admin user in Linux
- Disable ssh login for the root user in Linux
- How to create a new user with ssh access?
- 1 Answer 1
- You must log in to answer this question.
- Related
- Hot Network Questions
- Subscribe to RSS
Create a new SSH user on Ubuntu Server
My problem lies with the first two items. I’ve already found useradd but for some reason, I can’t log in as a user created with it over SSH. Do I need to beat SSHd to allow this?
Hi! I can help you in servers, I don’t know what is your problem with SSH, because for me with default config never refuses my connection. You may see man 5 nologin, this writes, that if /etc/nologin exists, you can log in with root only. Try login normally, then write the results.
What’s the user’s shell? Is it /bin/bash? Check that out in /etc/password. Make sure it’s not /dev/null or /bin/false.
@B. Roland I do have a /etc/nologin file but it’s empty. I deleted it and restarted ssh but it’s still just responding Permission denied, please try again. when I try and log in.
9 Answers 9
SSH is very picky about the directory and file permissions. Make sure that:
- The directory /home/username/.ssh has permission «700» and is owned by the user (not root!)
- The /home/username/ssh/authorized_keys has permission «600» and is owned by the user
Copy your public key into the authorized_keys file.
sudo chown -R username:username /home/username/.ssh sudo chmod 0700 /home/username/.ssh sudo chmod 0600 /home/username/.ssh/authorized_keys
There is NO need to add the user to /etc/ssh/ssh_config.
My problem was that I was trying to use /root/.ssh/authorized_keys instead of /home/bob/.ssh/authorized_keys .
I can confirm: on our VPS hosting there was no need to edit ssh_config . Setting up that directory and file was enough.
Much easier to login as user (or sudo su —login
Edit (as root) /etc/ssh/sshd_config . Append the following to it:
Port 1234 PermitRootLogin no AllowUsers jim
Port 1234 causes SSH to listen on port 1234. You can use any unused port from 1 to 65535. It’s recommended to choose a privileged port (port 1-1024) which can only be used by root. If your SSH daemon stops working for some reason, a rogue application can’t intercept the connection.
PermitRootLogin disallows direct root login.
AllowUsers jim allows user jim to login through SSH. If you do not have to login from everywhere, you can make this more secure by restricting jim to an IP address (replace 1.2.3.4 with your actual IP address):
Changes to the configuration file /etc/ssh/sshd_config are not immediately applied, to reload the configuration, run:
+1: Note: these instructions are still applicable to newer versions of Ubuntu (e.g. 13.04). If you do want root login, however, (perhaps you’re still setting up the server), you must set PermitRootLogin to yes and also add root to AllowUsers .
@Lekensteyn I’ve found just adding a new user to Ubuntu itself creates an ssh account for that user. useradd -m -G sudo,adm -s /bin/bash mecharok and passwd mecharok
@Wolfpack’08 Use AllowUsers username1,username2 to restrict SSH logins to those users. Ensure that sshd is reloaded. If this does not help, please create a new question.
@Lekensteyn your command: AllowUsers username1,username2 has the wrong format and will lock you out of your server!! The correct command to set is: AllowUsers username1 username2
There will be clues in /var/log/auth.log for why SSH (or PAM) is rejecting the login attempt. Additional clues may be found by using the -v option with the ssh client. Several common situations, some mentioned in the other answers:
- the user account lacks a password, or is otherwise disabled (see man passwd , try resetting the password or checking the contents of /etc/shadow ).
- /etc/ssh/sshd_config is configured to disallow the login ( DenyUsers , AllowUsers , PasswordAuthentication , PubkeyAuthentication , UsePAM etc, see man sshd_config ).
- the user’s shell is not listed in /etc/shells .
- various permission problems on directories or files related to SSH operation: /etc/ssh , /home/jim/.ssh , /home/jim/.ssh/* , etc.
I’d also recommend using adduser (instead of useradd) for adding new users; it is a little more friendly about various default account settings.
As long as the user is not part of the admin group, they will not be able to sudo to root. For them to use su, you will need to set a root password ( passwd root ), after which I recommend setting PermitRootLogin=no in /etc/ssh/sshd_config .
Создание пользователя и SSH ключей
Скопировать ssh ключи от одного пользователя другому:
sudo cp -r /home/USER1/.ssh /home/USER2/.ssh sudo chown -R USER2:USER2 /home/USER2/.ssh sudo chmod -R 700 /home/ddudin/.ssh
Сменить пароль на ключ можно с помощью команды
ssh-keygen -f ~/.ssh/id_rsa_my_custom -p
Копирование открытого ключа на сервер:
ssh-copy-id -i id_rsa.pub username@remote_host
Когда ранее созданный ключ id_rsa.pub будет найден, тогда будет предложено ввести пароль учетной записи удаленного пользователя. Утилита подключится к учетной записи на удаленном хосте, используя указанный пароль. Затем содержимое ключа ~/.ssh/id_rsa.pub будет скопировано в основной каталог ~/.ssh удаленной учетной записи в файл с именем authorized_keys .
После этого можно проверить как работает подключение с этим ключом:
ssh -v -i ~/.ssh/id_rsa username@remote_host
- -i identity_file
- -v Prints debugging messages for ssh connection. The verbose mode is useful when troubleshooting configuration issues.
МОМЕНТЫ:
Все права на /home/USER/.ssh должны быть 700 и только пользователя владельца
Команды для этого:
sudo chown -R USER2:USER2 /home/USER2/.ssh sudo chmod -R 700 /home/USER2/
Выдержка из офф. документации:
3. Copy id_dsa.pub to the server's .ssh directory * -> scp $HOME/.ssh/id_dsa.pub user@server:/home/user/.ssh 4. Change to /root/.ssh and create file authorized_keys containing id_dsa content * -> cd /home/user/.ssh * -> cat id_dsa.pub >> authorized_keys
Вырианты команд для работы с SSH в Windows:
scp $HOME/.ssh/id_rsa.pub user@11.1.2.3:/home/user/.ssh ssh-copy-id user@11.1.2.3 "C:\Program Files\PuTTY\pscp.exe" C:/Users/user/.ssh/id_rsa.pub user@11.1.2.3:/home/user/.ssh "C:\Program Files\PuTTY\pscp.exe" C:/Users/user/.ssh/id_rsa user@11.1.2.3:/home/user/.ssh type public_id | "C:\Program Files\PuTTY\plink.exe" user@11.1.2.3 "umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/authorized_keys"
# Частые проблемы
если ssh спрашивает пароль когда ключ SSH вы уже подставили, тогда значит первым делом проверяйте как идет подключение:
ssh -vT git@YOUR_HOST_OR_GIT_REPO
После этого вы поймете что ключ скорее всего не тот вы подставили и тогда вы можете добавить ключ в настройки гит-репы,
а в гит-репу нужен собственный формат ключа который дает puttygen
Create New User And Add SSH Login In Linux Server
In this tutorial, I will discuss how to ssh into a server using the terminal. If you are a Linux administrator or a DevOps, you are always to be concerned about the security of your Linux web server. So I am here to help you with how to make your linux server more secure?
If you are a Linux user then you will know that, Linux server has a default root user as we all know. An hacker can easily take a guess about the root user and can try to break into a Linux system.
However, if we disable the root user he might not be able to guess the root user. So let’s see how to create a new user and disable root user in linux server.
Create a new admin user in Linux
# ssh with root user $ ssh root@YOUR_SERVER_IP # create alternate user called admin $ useradd -m -d /home/admin admin # make sure home directory created and has user permissions $ ls -lad /home/admin # update new user password $ passwd admin # add sudoer permission to new user $ echo 'admin ALL=(ALL) ALL' >> /etc/sudoers # now exit the terminal and make sure you # can ssh with new admin user before you disable root login $ exit
Disable ssh login for the root user in Linux
Once we have a new sudo user created from the above command then we will disable ssh login for our root user.
$ ssh root@YOUR_SERVER_IP # once confirmed log in as root and open following file $ nano etc/ssh/sshd_config # find the PermitRootLogin line and change it to PermitRootLogin no # save your changes and restart the ssh $ sudo service sshd restart # now logout and try to login with root user # it should not allow ssh for root user $ exit $ ssh root@YOUR_SERVER_IP # if above step works then try login with # newly created admin user to login via ssh $ ssh admin@YOUR_SERVER_IP # exit the server $ exit
But keep remembering that you would like to move in root user. So If you want to perform root-level operations for our new admin user then we have to switch to sudo mode and run commands as the root user like below:
# login using admin user $ ssh admin@YOUR_SERVER_IP # try to switch with root user # enter root password $ su //this su means #switch user
How to create a new user with ssh access?
Finally I logged in as the user and copied my public ssh key into the ~/.ssh/authorized_keys file. But I still get Permission denied (publickey) when I try to ssh as that user.
Probably permissions problems. What are the permissions of the home directory of that user, what are the permissions of ~/.ssh directory and the ~/.ssh/authorized_keys file in the users home directory? Where is the private key of that user used to authentication?
The ~/.ssh directory has drwxrwxr-x . The ~/.ssh/authorized_keys has -rw-rw-r— . The remote user has an ssh key in the ~/.ssh directory and so does my local user.
I’m not sure what to make of it. This is the end of the log that appears when I run ssh -vvv debug3: send packet: type 50 debug2: we sent a publickey packet, wait for reply debug3: receive packet: type 51
1 Answer 1
- Run ssh -vvv to see a lot of debugging output. If you post a question asking why you can’t connect with ssh, include this output (you may want to anonymize host and user names).
- If you can, check the server logs, typically in /var/log/daemon.log or /var/log/auth.log or similar.
- If public key authentication isn’t working, check the permissions again, especially the group bit (see above).
You must log in to answer this question.
Related
Hot Network Questions
Subscribe to RSS
To subscribe to this RSS feed, copy and paste this URL into your RSS reader.
Site design / logo © 2023 Stack Exchange Inc; user contributions licensed under CC BY-SA . rev 2023.7.14.43533
Linux is a registered trademark of Linus Torvalds. UNIX is a registered trademark of The Open Group.
This site is not affiliated with Linus Torvalds or The Open Group in any way.
By clicking “Accept all cookies”, you agree Stack Exchange can store cookies on your device and disclose information in accordance with our Cookie Policy.