Creating New Users
Run the following commands:
adduser username
sudo vim /etc/sudoersFind the section called user privilege specification. It will look like this:
# User privilege specification
root ALL=(ALL:ALL) ALLUnder there, add the user so the section appears as below, granting all the permissions to your new user:
# User privilege specification
root ALL=(ALL:ALL) ALL
username ALL=(ALL:ALL) ALLrun vigr in the terminal and add your new username created to the sudo group, and any other groups you may want.
...
tape:x:26:
sudo:x:27:USERNAME,USERNAME2,USER3
audio:x:29:
...
If you want to change your user's default home directory, run the following command - sudo usermod -d /path/to/home username
If PW authentication enabled, you can now ssh!
If not, continue by running the following commands to create a key for authorization
sudo su username
cd
ssh-keygen -t ed25519if you run the above command as sudo, it will create a key for root@host, not the user you are logged in as.
If you are getting privelege errors, you are not in your home directory. Create the key there first, then move it to your preferred location later. (usually /home/user/.ssh/)
general format for filename is user_<keytype> so -> username_ed25519
this will create a public and private key, the private key should(?) be backed up on an encrypted USB drive and removed from the server
Once the files are generated, they sit loose in the users home directory - clean them up
mkdir .ssh
sudo mv username_ed25519* .ssh/Do not leave your private key on the server, should someone get this keyfile they can change your password and login as long as that key is on the approved list. These will unauthorized logins / password resets will not be viewed as a breach attempt, but as an approved login - no one will be alerted until its too late.
If using Putty to SSH, continue.
At some point when a password is used in key generation, ssh-keygen generates openssh private key which doesn't use cipher supported by puttygen.
ssh-keygen doesn't provide option to specify cipher name to encrypt the resulting openssh private key.
There is a workaround: remove the passphrase from the key before importing into puttygen.
Create a copy of the key to temporarily remove the passwordcp ~/.ssh/id_ed25519 ~/.ssh/id_ed25519-for-putty
import the copied key, using the -p argument to specify a request to set a new password, and -f to specify the import keyfile.
ssh-keygen -p -f ~/.ssh/id_ed25519-for-putty
Enter old passphrase: <your passphrase>
Enter new passphrase (empty for no passphrase): <press Enter>
Enter same passphrase again: <press Enter>using some command, view the text contents of the private key generated.
cat id_ed25519-for-putty
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZWQyNTUxOQ
AAACCGyjniPP1oVCXqkdCeCKFp+5+5cI7L79rP5RYHJ5Y6fQAAAJh3QGp1d0BqdQAAAAtzc2gtZWQy
NTUxOQAAACCGyjniPP1oVCXqkdCeCKFp+5+5cI7L79rP5RYHJ5Y6fQAAAEBJr8PzmuEN6qNyrY07Lr
LAgZRjo9efYETKqFbS2jVTQobKOeI8/WhUJeqR0J4IoWn7n7lwjsvv2s/lFgcnljp9AAAADmthcHBl
ckBrYXB1bnR1AQIDBAUGBw==
-----END OPENSSH PRIVATE KEY-----copy this output from your ssh session to the machine running Putty
On the windows machine, create a .ssh directory in the users folder who wishes to SSH into the server (C:\Users\Shaun\.ssh)
Open puttygen, load convert->import keys.. select the text file we created in C:\Users\Shaun\.ssh\ and set the passphrase from puttygen.
Don't forget to shred and remove ~/.ssh_id_ed25519-for-putty afterwards since it is not password protected.
The new password protected key will authorize the user based on the local password set in putty, using the remote PUBLIC key stored on the server.
There is no need to keep your private keys on any server, or any device connected to the internet.