Create a new SSH user on Ubuntu Server

Question

Just created a new virtual Ubuntu server and I'm in the process of hardening it for production use. I currently have a root account. I want to do the following:

Create a new user (let's call them jim for the rest of this). I want them to have a /home/ directory.
Give jim SSH access.
Allow jim to su to root but not perform sudo operations.
Turn off root SSH access.
Move SSHd off to a non-standard port to help stop brute-attacks.

My problem lies with the first two items. I've already found useradd but for some reason, I can't log in as a user created with it over SSH. Do I need to beat SSHd to allow this?

score 145 · Answer 1 · answered Mar 01 '14 at 17:32

SSH is very picky about the directory and file permissions. Make sure that:

The directory /home/username/.ssh has permission "700" and is owned by the user (not root!)
The /home/username/ssh/authorized_keys has permission "600" and is owned by the user

Copy your public key into the authorized_keys file.

sudo chown -R username:username /home/username/.ssh
sudo chmod 0700 /home/username/.ssh
sudo chmod 0600 /home/username/.ssh/authorized_keys

There is NO need to add the user to /etc/ssh/ssh_config.

Lekensteyn · Accepted Answer · 2012-11-06T20:24:02.950

Edit (as root) /etc/ssh/sshd_config. Append the following to it:

Port 1234
PermitRootLogin no
AllowUsers jim

Port 1234 causes SSH to listen on port 1234. You can use any unused port from 1 to 65535. It's recommended to choose a privileged port (port 1-1024) which can only be used by root. If your SSH daemon stops working for some reason, a rogue application can't intercept the connection.

PermitRootLogin disallows direct root login.

AllowUsers jim allows user jim to login through SSH. If you do not have to login from everywhere, you can make this more secure by restricting jim to an IP address (replace 1.2.3.4 with your actual IP address):

AllowUsers jim@1.2.3.4

Changes to the configuration file /etc/ssh/sshd_config are not immediately applied, to reload the configuration, run:

sudo service ssh reload

score 15 · Answer 3 · answered Dec 11 '10 at 07:15

There will be clues in /var/log/auth.log for why SSH (or PAM) is rejecting the login attempt. Additional clues may be found by using the -v option with the ssh client. Several common situations, some mentioned in the other answers:

the user account lacks a password, or is otherwise disabled (see man passwd, try resetting the password or checking the contents of /etc/shadow).
/etc/ssh/sshd_config is configured to disallow the login (DenyUsers, AllowUsers, PasswordAuthentication, PubkeyAuthentication, UsePAM etc, see man sshd_config).
the user's shell is not listed in /etc/shells.
various permission problems on directories or files related to SSH operation: /etc/ssh, /home/jim/.ssh, /home/jim/.ssh/*, etc.

I'd also recommend using adduser (instead of useradd) for adding new users; it is a little more friendly about various default account settings.

As long as the user is not part of the admin group, they will not be able to sudo to root. For them to use su, you will need to set a root password (passwd root), after which I recommend setting PermitRootLogin=no in /etc/ssh/sshd_config.

score 11 · Answer 4 · edited Jun 11 '13 at 17:13

11

I could be wrong but I always have to install the server daemon before I can connect (At least on desktop) ssh is installed by default but that is just the client

this command installs the server

sudo apt-get install openssh-server

You can change the port and stop root login by editing

/etc/ssh/sshd_config

This requires you to restart the service though.

sudo service ssh restart

edited Jun 11 '13 at 17:13

Community

1

answered Dec 08 '10 at 16:48

Matt Mootz

569

score 10 · Answer 5 · answered Dec 08 '10 at 18:24

Jim will not have SSH access until you have set a password. As root execute:

grep -i "jim" /etc/shadow | awk -F':' '{ print $2 }'

If this command returns a "!" character then login is disabled for this account. Executing passwd jim as root will prompt you for a new and confirmed password string after which the grep command above should return a hashed string representing the password for jim.

Also be sure to verify that jim has a login shell, set by default, and a home directory that exists.

Please note lekensteyn's post for information on modifying SSH server settings.

score 5 · Answer 6 · edited Feb 14 '18 at 01:46

In my case I had a group which was allowed access and the user was not part of it. This solved it for me.

Using the example above with the user jim and assume member of group jim as it's only group (issue groups command while logged in as jim to find groups you are a part of). In my /etc/ssh/sshd_config file I had AllowGroups sshusers entry and thus needed to add jim to the sshusers group. Below is how this would be accomplished:

usermod -a -G sshusers jim

Replace your group and user as appropriate for your configuration.

score 2 · Answer 7 · answered Jul 31 '21 at 14:16

2

Simple note:

The public key should be written inside this file:

/home/newUsername/.ssh/authorized_keys

answered Jul 31 '21 at 14:16

Masih Jahangiri

121

score 0 · Answer 8 · answered Nov 13 '18 at 21:22

@Lekensteyn I'm unable to leave a comment to the question answer because I don't have the reputation - but I tried appending

AllowUsers existingUser,newUser

to my /etc/ssh/sshd_config file and now I can no longer ssh with both my existingUser or the newUser.

score 0 · Answer 9 · answered Aug 24 '17 at 15:05

0

There might be some instances that the PasswordAuthentication is disabled by default.

Kindly check /etc/ssh/sshd_config and ensure that the PasswordAuthentication attribute is set to yes.

answered Aug 24 '17 at 15:05

Aldee

101

Create a new SSH user on Ubuntu Server

9 Answers9

Simple note:

Linked