Ubuntu 16.04 - Creating New User and Adding SSH Keys

June 24, 2017 63.7k views
Linux Basics Linux Commands Nginx Ubuntu 16.04
connordphillips
By:
connordphillips

I am following the tutorial to add an SSL certificate to the Ubuntu 16.04 droplet, but in the instructions it is recommended this is not done through the root user, but rather a super user. As a result, I created a separate user and added it to a super user group, but I'm getting hung up on the step that adds ssh keys to this user.

First, I should switch to the user via su - *username*, which should take you to the /home directory of the user. When I check the path with pwd it shows /home, but when I run who I am shown as the root user. Is this the correct behavior since I'm still technically logged in under root, but sudoing into this user?

I am then asked to create the ~/.ssh/id_rsa.pub with my ssh-key, but it already exists when I run the commands. Side note: I created this user a while back and may have added them then, but not sure. I decided to move on since they exist.

I tried to ssh into my user and it successfully connects, but then immediately closes. Any reason why that might be? Any help to point me in the right direction would be great!

ssh username@111.111.1.11
ghost@111.111.1.11's password: 
Welcome to Ubuntu 16.04

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as 

  System load:  0.08               Processes:           76
  Usage of /:   19.8% of 19.56GB   Users logged in:     0
  Memory usage: 42%                IP address for: 111.111.1.11
  Swap usage:   0%

  Graph this data and manage this system at:
    https://landscape.canonical.com/

0 packages can be updated.
0 updates are security updates.


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Last login: Fri Jun from xxx.x.xx.x.x.x
Connection to 111.111.1.11 closed.
Log In to Comment
4 Answers
jtittle MOD June 24, 2017
Accepted Answer

@connordphillips

The root user is a super user and the only real super user on the OS by default. You can add sudo users which have permission to escalate to root after authenticating, though root is still a super user :-).

When you run commands as the sudo user, if you escalate to root using su, you become root, so when you check your home directory, it might not be what you expect. You''ll want to run commands using sudo:

sudo mycommand arg1 arg2 etc

You'll authenticate and then won't need to re-authenticate for a period of time. By doing this, you'll ensure that commands that you run specific to the user are as expected.

...

For example, if I'm logged in as root and create a sudo user, I normally set and create their home directory at the same time.

i.e.

Create Home Directory + .ssh Directory

mkdir -p /home/mynewuser/.ssh

Create Authorized Keys File

touch /home/mynewuser/.ssh/authorized_keys

Create User + Set Home Directory

useradd -d /home/mynewuser mynewuser

Add User to sudo Group

usermod -aG sudo mynewuser

Set Permissions

chown -R mynewuser:mynewuser /home/mynewuser/

chown root:root /home/mynewuser

chmod 700 /home/mynewuser/.ssh

chmod 644 /home/mynewuser/.ssh/authorized_keys

Set Password on User

If you want to be able to log in as the user without an SSH key, setting a password will allow that, as long as PasswordAuthentication is enabled in /etc/ssh/sshd_config.

passwd mynewuser

...

You can check the users home directory by running:

echo $HOME

... while logged in as the user. If you echo $PWD, it'll give you the current path to the directory that you're currently in. So if I ran cd /home, running:

echo $PWD

... will give me /home. If my home directory is /home/mynewuser, then $HOME will give me that directory :-).

...

From there, you'll log in as the user and create your SSH key. I generally use a heavier key with more KDF rounds, though it can delay log in by a few seconds to minutes depending on how many KDF rounds you use.

For example, to generate an RSA key, I'd use:

ssh-keygen -a 1000 -b 4096 -C "" -E sha256 -o -t rsa

For an ED25519 key, I'd use:

ssh-keygen -a 1000 -C "" -E sha256 -o -t ed25519

-a - KDF Rounds (key derivation function)
-b - Bit size (applies to RSA, but not ED25519)
-C - Sets the comment on the key to be blank
-e - Sets the key hash used (sha256 is default)
-o - Uses new OpenSSH format for keys
-t - Specifies the type of key (RSA/ED25519)

...

With 1,000 KDF rounds, the key takes a few seconds to generate when you use a passphrase, and it will take a few seconds to log in as well. Using KDF generates a more secure key, though you have to be careful as setting it too high will definitely cause severe delays when trying to log in (i.e. 20,000 rounds will take an averages of 2-4 minutes to generate and the same to log in).

Once your public/private key are generated, place the public key in:

/home/mynewuser/.ssh/authorized_keys

Download the private key locally and then remove both from the server as they are no longer needed. The public key only needs to exist in the file above and you shouldn't keep your private key on the server :-).

Reply
connordphillips June 25, 2017

@jtittle thank you for the detailed rundown. I am now better aware of the file structure and what the commands mean. I believe I originally misspoke when I said additional users could be super users and really meant sudo users.

So I checked out the home directory and found /home/mynewuser. I had created this user a while back when I ran into a server issue and was planning on picking up from here. This directory did not have a .ssh folder so I created one and added an authorized_keys file with my public key that I copied off of my local machine. From there I followed your set permissions command and then tried to login with the new user ssh mynewuser@111.111.1.11, but after I successfully log into the server, the connection closes almost simultaneously. Connection to 111.111.1.11 closed. is the message I receive. Can you think of a reason why that might be? I checked my root key and can confirm that it is the same as the key used by mynewuser so I am surprised it wouldn't work.

Should I try creating a new user and running through these commands?

Reply
  • jtittle MOD June 25, 2017

    @connordphillips

    I've seen this happen when a users' home directory doesn't exist, though not when it does.

    Just to be sure that something didn't go wrong with the initial setup, try creating another user using the guide I provided. Please follow the steps in order, top to bottom :-).

    That'll rule out issues with the home directory and from there, if the issue persists on a newly created user, I would check auth.log to see if there's a log that can be more useful. We can check the log using:

    tail -20 /var/log/auth.log

    Feel free to post the output to a code block or PasteBin:

    https://pastebin.com

    I'd be more than happy to take a look at it for you.

    ...

    As a general security precaution, I'd recommend using a different SSH key for every user. If you don't want to keep up with that many keys, at least make sure the root key is not used by any other user on the system.

    That said, I would recommend making sure a sudo user is setup and confirmed working (i.e. can escalate and run root commands) and then lock the root account altogether. As long as you can use sudo, you won't need root.

kain February 1, 2018

@jtittle Thanks a lot. Very well explained answer.

Reply
careb0b6efb88e09415e2660c9 April 30, 2018

Hi there!

I have been following these steps to create a user and add ssh access. I got through all the steps until trying to download my private key but I have no idea how to do this from the Digital Ocean CLI.

Any tips?

Thanks!

Reply
Have another answer? Share your knowledge.

Related Questions