Creating New Users
Run the following commands:
adduser username
Adding user `username' ...
Adding new group `username' (1000) ...
Adding new user `username' (1000) with group `username' ...
Creating home directory `/home/username' ...
Copying files from `/etc/skel' ...
New password:
Retype new password:
passwd: password updated successfully
Changing the user information for username
Enter the new value, or press ENTER for the default
Full Name []: # You can leave all of this blank, or not
Room Number []:# Your choice, really
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] y
# If vim is your preferrred text editor, set the environment variable to say so -
export EDITOR=/bin/vim
sudo visudo
# Both of these commands will do the same thing, since we've set our preferred editor
sudo vim /etc/sudoersFind the section within /etc/sudoers called user privilege specification. It will look like this:specification
# User privilege specification
root ALL=(ALL:ALL) ALLUnderModify there,the addfile by adding the user soto the section as it appears as below, granting all the permissions to your new user:-
# User privilege specification
root ALL=(ALL:ALL) ALL
username ALL=(ALL:ALL) ALLrun Save /etc/sudoers and run vigr in the terminal and add your new username created to the sudo group, and any other groups you may want. This is the same thing as modifying the configuration file /etc/group with your preferred editor and saving it. (Docker is a common group that users will need added to - Don't run your containers as root by running sudo docker)
...
tape:x:26:
sudo:x:27:USERNAME,USERNAME2,USER3
audio:x:29:
docker:x:30:USERNAME,USER3
...IfYou you want toshould change your user'suser and group IDs from the default homesequential directory,values seewe can assume Linux has distributed for us. To do this, choose and valid ID and edit the codefollowing belowcommands to suit your needs -
# Change user and group IDs
usermod -u 1234 user
groupmod -g 4321 usergroup
# Make sure you edit all the old permissions to reflect the above changes
# Use the old user and group IDs here
sudo find / -group 1000 -exec chgrp -h pressadmin {} \;
sudo find / -user 1000 -exec chown -h pressadmin {} \;Not sure what UID and GID to choose? See the table below and choose a value that suits your needs - probably a value within an unused range.
Table Source - Systemd.io
UID/GID Purpose Defined By Listed in 0 rootuserLinux /etc/passwd+nss-systemd1 ... 4 System users Distributions /etc/passwd5 ttygroupsystemd/etc/passwd6 ... 999 System users Distributions /etc/passwd1000 ... 60000 Regular users Distributions /etc/passwd+ LDAP/NIS/…60001 ... 61183 Unused 61184 ... 65519 Dynamic service users systemdnss-systemd65520 ... 65533 Unused 65534 nobodyuserLinux /etc/passwd+nss-systemd65535 16bit (uid_t) -1Linux 65536 ... 524287 Unused 524288 ... 1879048191 Container UID ranges systemdnss-mymachines1879048191 ... 2147483647 Unused 2147483648 ... 4294967294 HIC SVNT LEONES 4294967295 32bit (uid_t) -1Linux
Creating SSH Login Keys
SSH should never be authenticated using passwords alone.
sudo su username
cd
ssh-keygen -t ed25519if you run the above command as sudo, it will create a key for root@host, not the user you are logged in as.
If you are getting privelege errors, you are not in your home directory. Create the key there first, then move it to your preferred location later. (usually /home/user/.ssh/)
general format for filename is user_<keytype> so -> username_ed25519
this will create a public and private key, the private key should(?) be backed up on an encrypted USB drive and removed from the server
Once the files are generated, they sit loose in the users home directory - clean them up
mkdir .ssh
sudo mv username_ed25519* .ssh/Do not leave your private key on the server, should someone get this keyfile they can change your password and login as long as that key is on the approved list. These will unauthorized logins / password resets will not be viewed as a breach attempt, but as an approved login - no one will be alerted until its too late.
Using Putty with OpenSSH Keys
At some point when a password is used in key generation, ssh-keygen generates openssh private key which doesn't use cipher supported by puttygen.
ssh-keygen doesn't provide option to specify cipher name to encrypt the resulting openssh private key.
There is a workaround: remove the passphrase from the key before importing into puttygen.
Create a copy of the key to temporarily remove the passwordcp ~/.ssh/id_ed25519 ~/.ssh/id_ed25519-for-putty
import the copied key, using the -p argument to specify a request to set a new password, and -f to specify the import keyfile.
ssh-keygen -p -f ~/.ssh/id_ed25519-for-putty
Enter old passphrase: <your passphrase>
Enter new passphrase (empty for no passphrase): <press Enter>
Enter same passphrase again: <press Enter>using some command, view the text contents of the private key generated.
cat id_ed25519-for-putty
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZWQyNTUxOQ
AAACCGyjniPP1oVCXqkdCeCKFp+5+5cI7L79rP5RYHJ5Y6fQAAAJh3QGp1d0BqdQAAAAtzc2gtZWQy
NTUxOQAAACCGyjniPP1oVCXqkdCeCKFp+5+5cI7L79rP5RYHJ5Y6fQAAAEBJr8PzmuEN6qNyrY07Lr
LAgZRjo9efYETKqFbS2jVTQobKOeI8/WhUJeqR0J4IoWn7n7lwjsvv2s/lFgcnljp9AAAADmthcHBl
ckBrYXB1bnR1AQIDBAUGBw==
-----END OPENSSH PRIVATE KEY-----copy this output from your ssh session to the machine running Putty
On the windows machine, create a .ssh directory in the users folder who wishes to SSH into the server (C:\Users\Shaun\.ssh)
Open puttygen, load convert->import keys.. select the text file we created in C:\Users\Shaun\.ssh\ and set the passphrase from puttygen.
Don't forget to shred and remove ~/.ssh_id_ed25519-for-putty afterwards since it is not password protected.
The new password protected key will authorize the user based on the local password set in putty, using the remote PUBLIC key stored on the server.
There is no need to keep your private keys on any server, or any device connected to the internet.