How To Create An SSH-Enabled User With Public Key Authentication On Linux

Introduction

If you are reading this you are struggling to create an SSH-enabled user on your Linux and are looking for a way to solve this. Don't search any longer, you are at the right place!

Within this tutorial, I will show you how to set up a user on your Linux and enable SSH login using PublicKey authentication.

Prerequisite

To add an SSH-enabled user the user needs an SSH Key pair which can be generated with the following procedure on a Linux system:

Run ssh-keygen command and provide the type of the key by appending -t and the length of the key by appending -b. To create an RSA key and specify a length of 2048 bits use this:

ssh-keygen -b 2048 -t rsa

After running this command the CLI will prompt you to enter a path to a file which will be used to save the key. It defaults to /home/your_username/.ssh/id_rsa. Adjust the path to your needs and hit enter.

In the next step, you will be prompted to enter a passphrase which is not mandatory but should be used to protect the private key against unauthorized use. Enter your private passphrase and hit enter to generate the key.

After the process is finished you can find the SSH key pair in your selected folder:

.rwx------ 1,8k your_username  5 Mai  2023 󰌆 id_rsa
.rwx------  389 your_username  5 Mai  2023 󰷖 id_rsa.pub

Add SSH-enabled User To Your Linux System

If the new user has an SSH key pair you can log into your Linux system to start adding the user to the server.

The process to create a new user is straightforward:

1. Become the root user by typing: su root and providing the root password.
2. Create the new user with the useradd command: useradd new_user
3. Now set a password for the user (otherwise it becomes locked): passwd new_user
4. Create a .ssh directory within the new user's home directory: mkdir -p /home/new_user/.ssh
5. Create a file called authorized_keys within the .ssh directory and save the public key of the new user.
6. Change the owner/group of the home directory to the new user: chown -R new_user:new_user /home/new_user
7. Set the correct permissions for the .ssh folder: chmod 700 .ssh
8. Set the correct permissions for the authorized_keys file: chmod 600 authorized_keys
9. Restart the SSH daemon on your server: service sshd restart

Enable SUDO commands for a User

Enabling SUDO can be done in two different ways: Using visudo or adding the user to the SUDO group.

Using visudo command to append the user

To enable sudo command for the previously created user you have to edit the /etc/sudoers file by using the visudo command.

To do this, execute visudo (as root) and search the following line: %opc ALL=(ALL) NOPASSWD: ALL. Then append % new_user_group ALL=(ALL)

If you want to avoid entering the password every time you run a command with sudo you can also append NOPASSWD: ALL

To close visudo press CTRL+X and save your changes by pressing Y.

Add the user to the sudo group

To add the user to the sudo group you have to use the usermod command which should be executed as root (or with sudo):

usermod -aG sudo new_user

Executing this command will add new_user to the sudo group granting full sudo privileges.

Troubleshooting

Normally, if you followed this guide, you should be able to log in as a new user by executing:

ssh new_user@ip -i is_rsa

If for any reason this does not work try any or all of the following steps:

Check SSH Logs

On Debian/Ubuntu: tail -f /var/log/auth.log

On RedHat/CentOS: tail -f /var/log/secure

Verify the SSH Configuration

If you cannot connect, check the sshd_config for the following values:

1. PubkeyAuthentication yes
2. AuthorizedKeysFile %h/.ssh/authorized_keys
3. DenyUsers or AllowUsers directives should not block the new_user name and if used should allow the new user

Error: User new_user not allowed because account is locked

If you see this message within the SSH logs it means that the user is locked because it was disabled or locked due to some administrative policy.

1. First, check the account status by using: passwd -S new_user. If locked the result should show new_user L... where the L indicates it is locked.
2. Unlock the user account: passwd -u new_user
3. Check the account status (again): passwd -S new_user

Closing Notes

Having SSH access with public key authentication to your server is mandatory if managing a Linux server. Knowing how to set it up yourself is therefore a vital skill. By following my guide, you should have learned how to configure your SSH access with public key authentication which will enhance security using SSH and improve ease of use.

Hopefully, this article was easy to understand and you learned to set up SSH public key authentication for your server.

Do you have any questions regarding SSH and public key authentication? Or do you have any feedback? I would love to hear it, your thoughts and answer all your questions. Please share everything in the comments.

Feel free to connect with me on Medium, LinkedIn, Twitter, and GitHub.