Related

Server setup for multiple wordpress installs thats secure Question Question
Does Digital Ocean provide NTP service to customer VMs? Question Question

Question

How to enable SSH access for non root users

Posted August 11, 2019 22.6k views
Initial Server Setup

Following the recommendations in online forums, I have configured my new Ubuntu server so that root can only be accessed via my private key.

My understanding is that I’m also supposed to create a different user account that will be used to handle root-like tasks via elevated privileges and sudo. I can create that account with appropriate privileges, but the server will not allow me to connect via SSH. The only way I can use the other account to access the server is via the Digital Ocean console. The console does not play well with my Mac’s external keyboard.

What do I need to do to enable SSH connections to other accounts? I have found instructions online which suggest changing PermitRootLogin from ‘no’ to 'yes,’ but that seems to defeat the point of using an encrypted key to control root access. I cannot find instructions which explain how to allow password authentication for everyone EXCEPT the root user.

Add a comment
adelwich
By:
adelwich

Related

Server setup for multiple wordpress installs thats secure Question Question
Does Digital Ocean provide NTP service to customer VMs? Question Question

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
7 answers
KFSys August 11, 2019

Hi adelwhich,

You’ll need to create a user and add it to the sudoers group

You’ll start by creating the user by using the adduser command

sudo adduser exampleuser

Then use the usermod command to add the user to the sudo group

sudo usermod -aG sudo exampleuser

You can use test if everything was done correctly by using the su command

sudo su - username

Once you are run you can execute something like:

sudo ls -la /etc/www/html
If the directory is listed then you are good to go.

There is something I like to point it. If you add your users to the sudoers group, they’ll have access to all files on your server.

Now to allow SSH access to a certain user

Edit sshd_config file:

sudo vi /etc/ssh/sshd_config

dd or edit the following line:

AllowUsers exampleuser

Replace “exampleuser” with your username. You can also specify more than one user as shown below.

AllowUsers exampleuser testuser

To allow an entire group, say for example root, add/edit the following line:

AllowGroups root

Those who are in the “root” group can be able to ssh to the remote server.

Save and quit the SSH config file. Restart SSH service to take effect the changes.

sudo systemctl restart sshd

Kind regards,
Kalin D.

Reply Report
DigitalJim April 23, 2020

@KDSys

I just followed your advice, and now I can’t login with my created user nor root… Wtf!? 😢

Reply Report
adelwich August 11, 2019

I did go ahead and change PasswordAuthentication to yes, but I’m concerned that this might be the wrong way to do it.

Reply Report
adelwich August 12, 2019

Thanks, Kalin!

Reply Report
398724891 September 17, 2020

Assuming that you’ve added a non-root user named ‘test’ on remote server and you can ssh to it as root user, here are the steps to enable ssh as 'test’:

(root) cp /root/.ssh/authorized_keys /home/test/.ssh/authorized_keys
(root) chown test/home/test/.ssh/authorized_keys
(root) su test
(test) chmod 600 /home/test/.ssh/authorized_keys
Reply Report
linuxfreak November 28, 2020

Assuming that you created a normal user named “pandora”

(root) mkdir /home/pandora/.ssh
(root) nano /home/pandora/.ssh/authorizedkeys (copy original public key)
(root) chown -R pandora:pandora /home/pandora/.ssh
(root) chmod 600 /home/pandora/.ssh/authorizedkeys

(root) nano /etc/sudoers (check if the wheel group has permit to use sudo)
(root) usermod -aG wheel pandora (adding pandora to group wheel for sudo access)

Now connect to your server with user pandora using your public key without disconnect root user. If everything is okay, follow this commands:

(root) nano /etc/ssh/sshd_config

Find the line “PermitRootLogin yes” and replace with “PermitRootLogin no”

Save and restart ssh deamon.

(root) systemctl restart sshd

You will now be able to connect to your server via ssh with normal user.

Reply Report
sebastiengrans March 20, 2021

Also there is something to do at: /etc/passwd specify the user space for logged user and shell.

Reply Report

Related

Looking for something else?

Ask a new question Search for more help