How To Create An SSH-Enabled User With Public Key Authentication On Linux
Introduction
If you are reading this you are struggling to create an SSH-enabled user on your Linux and are looking for a way to solve this. Don't search any longer, you are at the right place!
Within this tutorial, I will show you how to set up a user on your Linux and enable SSH login using PublicKey authentication.
Prerequisite
To add an SSH-enabled user the user needs an SSH Key pair which can be generated with the following procedure on a Linux system:
Run ssh-keygen
command and provide the type of the key by appending -t
and the length of the key by appending -b
. To create an RSA key and specify a length of 2048 bits use this:
ssh-keygen -b 2048 -t rsa
After running this command the CLI will prompt you to enter a path to a file which will be used to save the key. It defaults to /home/your_username/.ssh/id_rsa
. Adjust the path to your needs and hit enter.
In the next step, you will be prompted to enter a passphrase which is not mandatory but should be used to protect the private key against unauthorized use. Enter your private passphrase and hit enter to generate the key.
After the process is finished you can find the SSH key pair in your selected folder:
.rwx------ 1,8k your_username 5 Mai 2023 id_rsa
.rwx------ 389 your_username 5 Mai 2023 id_rsa.pub
id_rsa
is the private key while id_rsa.pub
is the public key.Add SSH-enabled User To Your Linux System
If the new user has an SSH key pair you can log into your Linux system to start adding the user to the server.
The process to create a new user is straightforward:
- Become the
root
user by typing:su root
and providing the root password. - Create the new user with the useradd command:
useradd new_user
- Now set a password for the user (otherwise it becomes locked):
passwd new_user
- Create a
.ssh
directory within the new user's home directory:mkdir -p /home/new_user/.ssh
- Create a file called
authorized_keys
within the.ssh
directory and save the public key of the new user. - Change the owner/group of the home directory to the new user:
chown -R new_user:new_user /home/new_user
- Set the correct permissions for the .ssh folder:
chmod 700 .ssh
- Set the correct permissions for the authorized_keys file:
chmod 600 authorized_keys
- Restart the SSH daemon on your server:
service sshd restart
Enable SUDO commands for a User
Enabling SUDO can be done in two different ways: Using visudo or adding the user to the SUDO group.
Using visudo command to append the user
To enable sudo
command for the previously created user you have to edit the /etc/sudoers
file by using the visudo
command.
To do this, execute visudo
(as root) and search the following line: %opc ALL=(ALL) NOPASSWD: ALL
. Then append % new_user_group ALL=(ALL)
If you want to avoid entering the password every time you run a command with sudo you can also append NOPASSWD: ALL
To close visudo press CTRL+X
and save your changes by pressing Y
.
Add the user to the sudo group
To add the user to the sudo group you have to use the usermod
command which should be executed as root (or with sudo):
usermod -aG sudo new_user
Executing this command will add new_user to the sudo group granting full sudo privileges.
Troubleshooting
Normally, if you followed this guide, you should be able to log in as a new user by executing:
ssh new_user@ip -i is_rsa
If for any reason this does not work try any or all of the following steps:
Check SSH Logs
On Debian/Ubuntu: tail -f /var/log/auth.log
On RedHat/CentOS: tail -f /var/log/secure
Verify the SSH Configuration
If you cannot connect, check the sshd_config
for the following values:
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys
DenyUsers
orAllowUsers
directives should not block the new_user name and if used should allow the new user
Error: User new_user not allowed because account is locked
If you see this message within the SSH logs it means that the user is locked because it was disabled or locked due to some administrative policy.
- First, check the account status by using:
passwd -S new_user
. If locked the result should shownew_user L...
where theL
indicates it is locked. - Unlock the user account:
passwd -u new_user
- Check the account status (again):
passwd -S new_user
Closing Notes
Having SSH access with public key authentication to your server is mandatory if managing a Linux server. Knowing how to set it up yourself is therefore a vital skill. By following my guide, you should have learned how to configure your SSH access with public key authentication which will enhance security using SSH and improve ease of use.
Hopefully, this article was easy to understand and you learned to set up SSH public key authentication for your server.
Do you have any questions regarding SSH and public key authentication? Or do you have any feedback? I would love to hear it, your thoughts and answer all your questions. Please share everything in the comments.
Feel free to connect with me on Medium, LinkedIn, Twitter, and GitHub.