Create group for your user
1 |
groupadd my_group |
Add user to group
1 |
usermod -G my_group my_user |
Change user’s password
1 |
passwd my_user |
Now let’s make this user sudoer. Create a new file /etc/sudoers.d/my_sudoers
To configure specific user
1 |
echo "my_user ALL=(ALL) ALL" > /etc/sudoers.d/my_sudoers |
To configure group you have to put % at the beginning
1 |
echo "%my_group ALL=(ALL) ALL" > /etc/sudoers.d/my_sudoers |
Now the user can become sudo, but you cannot log into the user via SSH. Let’s fix that. To file /etc/ssh/sshd_config, add SSH connection access for the user or whole group we created.
For specific user:
1 |
AllowUsers my_user |
For whole group:
1 |
AllowGroups my_group |
In addition, if you want to be able to autheticate as the user using user’s password, we need to setup:
1 2 |
PasswordAuthentication no ChallengeResponseAuthentication yes |
The ChallengeResponseAuthentication yes
is enough to be able to login via password. Difference between these two options is that PasswordAuthentication
provides option to pass password as parameter to server in plaintext, whereas the ChallengeResponseAuthentication
enables option of interactive password input after the client tunelled secure connection to server. So you better don’t enable PasswordAuthentication unless you have very good reason doing so.
Now restart sshd service and you are done.
1 |
service sshd restart |
You might however want to also private key based authentication. We can generate keys locally and upload to server like
1 |
ssh-keygen -t rsa -C "Some key-pair description" -N "" -f my-key |
Which generates public key my-key.pub, private key my-key
Copy public key to /home/your_user/.ssh/rsa_id
, easily using
1 |
ssh-copy-id -i my-key.pub my_user@1.2.3.4 |
And test it
1 |
ssh -i my-key my_user@1.2.3.4 |
If you are using multiple RSA keys across different servers and you don’t always want to be bother explicitely specifying which one should be used, use ssh-add my-key. Now connecting to server got a whole level simpler, just
1 |
ssh my_user@1.2.3.4 |
and you are in!