Create a new SSH user on Ubuntu Server
My problem lies with the first two items. I’ve already found useradd but for some reason, I can’t log in as a user created with it over SSH. Do I need to beat SSHd to allow this?
Hi! I can help you in servers, I don’t know what is your problem with SSH, because for me with default config never refuses my connection. You may see man 5 nologin, this writes, that if /etc/nologin exists, you can log in with root only. Try login normally, then write the results.
What’s the user’s shell? Is it /bin/bash? Check that out in /etc/password. Make sure it’s not /dev/null or /bin/false.
@B. Roland I do have a /etc/nologin file but it’s empty. I deleted it and restarted ssh but it’s still just responding Permission denied, please try again. when I try and log in.
9 Answers 9
SSH is very picky about the directory and file permissions. Make sure that:
- The directory /home/username/.ssh has permission «700» and is owned by the user (not root!)
- The /home/username/ssh/authorized_keys has permission «600» and is owned by the user
Copy your public key into the authorized_keys file.
sudo chown -R username:username /home/username/.ssh sudo chmod 0700 /home/username/.ssh sudo chmod 0600 /home/username/.ssh/authorized_keys
There is NO need to add the user to /etc/ssh/ssh_config.
My problem was that I was trying to use /root/.ssh/authorized_keys instead of /home/bob/.ssh/authorized_keys .
I can confirm: on our VPS hosting there was no need to edit ssh_config . Setting up that directory and file was enough.
Much easier to login as user (or sudo su —login
Edit (as root) /etc/ssh/sshd_config . Append the following to it:
Port 1234 PermitRootLogin no AllowUsers jim
Port 1234 causes SSH to listen on port 1234. You can use any unused port from 1 to 65535. It’s recommended to choose a privileged port (port 1-1024) which can only be used by root. If your SSH daemon stops working for some reason, a rogue application can’t intercept the connection.
PermitRootLogin disallows direct root login.
AllowUsers jim allows user jim to login through SSH. If you do not have to login from everywhere, you can make this more secure by restricting jim to an IP address (replace 1.2.3.4 with your actual IP address):
Changes to the configuration file /etc/ssh/sshd_config are not immediately applied, to reload the configuration, run:
+1: Note: these instructions are still applicable to newer versions of Ubuntu (e.g. 13.04). If you do want root login, however, (perhaps you’re still setting up the server), you must set PermitRootLogin to yes and also add root to AllowUsers .
@Lekensteyn I’ve found just adding a new user to Ubuntu itself creates an ssh account for that user. useradd -m -G sudo,adm -s /bin/bash mecharok and passwd mecharok
@Wolfpack’08 Use AllowUsers username1,username2 to restrict SSH logins to those users. Ensure that sshd is reloaded. If this does not help, please create a new question.
@Lekensteyn your command: AllowUsers username1,username2 has the wrong format and will lock you out of your server!! The correct command to set is: AllowUsers username1 username2
There will be clues in /var/log/auth.log for why SSH (or PAM) is rejecting the login attempt. Additional clues may be found by using the -v option with the ssh client. Several common situations, some mentioned in the other answers:
- the user account lacks a password, or is otherwise disabled (see man passwd , try resetting the password or checking the contents of /etc/shadow ).
- /etc/ssh/sshd_config is configured to disallow the login ( DenyUsers , AllowUsers , PasswordAuthentication , PubkeyAuthentication , UsePAM etc, see man sshd_config ).
- the user’s shell is not listed in /etc/shells .
- various permission problems on directories or files related to SSH operation: /etc/ssh , /home/jim/.ssh , /home/jim/.ssh/* , etc.
I’d also recommend using adduser (instead of useradd) for adding new users; it is a little more friendly about various default account settings.
As long as the user is not part of the admin group, they will not be able to sudo to root. For them to use su, you will need to set a root password ( passwd root ), after which I recommend setting PermitRootLogin=no in /etc/ssh/sshd_config .
Creating a new user with an SSH key on Linux
The various steps to successfully setup a new user with the best security.
Posted at March 1, 2021 by Nicholas C. Zakas
First, create a new user with useradd :
sudo useradd -m -d /home/username -s /bin/bash username
Next, set the user’s password:
Then, copy the contents of the user’s public key into /home/username/.ssh/authorized_keys . This is a plain text file where you can paste one public key per line.
After that, set up the correct permissions for both the .ssh directory and the authorized_keys file:
# ensure the directory ir owned by the new user chown -R username:username /home/username/.ssh # make sure only the new user has permissions chmod 700 /home/username/.ssh chmod 600 /home/username/.ssh/authorized_keys
Last, if you want the new user to have sudo access, be sure to add them to the sudo group:
sudo usermod -a -G sudo username
If you don’t have a sudo group, you can manually edit the /etc/sudoers file.
Demystify JavaScript promises with the e-book that explains not just concepts, but also real-world uses of promises.
Download the Free E-book!
The community edition of Understanding JavaScript Promises is a free download that arrives in minutes.
Additional Information
My Books
Recent Snippets
how do you create an ssh key for another user?
I’m trying to create an ssh key for another user. I’m logged in as root. Can I just edit the files generated by ssh-keygen and change root to the user I want?
If you generate the key for the user you also have to have a secure method of getting the private key and it’s pass phrase to the user. Much better the user generate the key and then just email you the public key.
But isn’t that difficult is you don’t allow password logins? If I am key-only, and I set up a new user, they can’t login to set up their key.
I don’t have enough rep to make a answer so i made a gist which is a small script to create a user, generate a ssh-key, copy that public key to ~/.ssh/authorized_keys and then zip it to send to them. gist.github.com/robmsmt/b8300e7a0d711a7616e948a8232289a5
4 Answers 4
You could do that with ssh-keygen , however, remember that the private key is meant to be private to the user so you should be very careful to keep it safe- as safe as the user’s password. Or even safer, as the user is not likely to be required to change it upon first login.
ssh-keygen -f anything creates two files in the current directory. anything.pub is the public key, which you could append to the user’s ~/.ssh/authorized_keys on any destination server.
The other file, just called anything is the private key and therefore should be stored safely for the user. The default location would be ~username/.ssh/id_rsa (here named id_rsa , which is default for rsa keys). Remember that the .ssh directory cannot be readable or writeable by anyone but the user, and the user’s home directory cannot be writeable by anyone but the user. Likewise, permissions must be tight on the private key, as well: Read/write for only the user, and the .ssh directory and private keyfile must be owned by the user.
Technically you could store the key anywhere. With ssh -i path/to/privatekey you could specify that location, while connecting. Again, proper ownership and permissions are critical and ssh will not work if you don’t have them right.