SSH Public Key Authentication to Access Linux (3)

SSH Public Key Authentication to Access Linux (3)

we will create a new user (user01) on an AWS Linux server (EC2), install the user's public key so that the user can use his/her private key to access the Linux server. It is about Linux user account creation and user access authentication using public/private key pair, instead of password to authenticate.

Build Secure File Transfer Solution Using AWS S3 (2)
AWS Exam Preparation: Product Mindmap
VRF Route Leaking with MP-BGP: routing control for AWS transit VPC

Introduction

We generated a public and private key pair in SSH Public Key Authentication to Access Linux (2). In this post, we will create a new user (user01) on an AWS Linux server (EC2), install the user’s public key so that the user can use his/her private key to access the Linux server. It is about Linux user account creation and user access authentication using public/private key pair, instead of password to authenticate.

About AWS and Learning

AWS provides 12 months free virtual server (EC2), which we can use to quickly setup our Windows or Linux lab. AWS free tier details are available from https://aws.amazon.com/free/?all-free-tier.sort-by=item.additionalFields.SortRank&all-free-tier.sort-order=asc

AWS EC2 User Guide is available from: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts.html

If you are interested in receiving AWS training, there are plenty excellent courses on Udemy. The one I am watching is the AWS Certified Developer Associate https://www.udemy.com/aws-certified-developer-associate-dva-c01/.

If you are an Australian user, you may also register Cashrewards (online shopping cashback site) and procure Udemy courses from there, which gives you further 10% cashback. My Cashrewards referral link is https://refer.cashrewards.com.au/x/FKxM7Y so that you get A$5 and I get A$5, thanks :p

Use Putty to Connect to AWS Linux

We use Putty to SSH to AWS Linux server. Enter the public IP of our AWS Linux server (Step 1 in Screenshot below), so that we can reach across Internet from home computer; and ‘ec2-user’ as username. ‘ec2-user’ is the AWS Linux server root account.

Use Putty to Connect to AWS Linux – 1

We then refer to/include the private key , that we downloaded when creating the AWS EC2 instance.

In Putty, select SSH, Auth, browse to our private key file for ‘ec2-user’ authentication (Step 2, 3 and 4 in Screenshot below). We may also ‘Save’ the connection session, so that we can simply double click the saved Putty connection ‘AltairX AWS Lab’ to access our Linux server in future, no need to enter username, IP and private key again.

Use Putty to Connect to AWS Linux – 2

Upon logon the Linux server, we saw the following screen, where 172.32.0.11 is our server private IP. AWS does the public IP and private IP mapping for us. Private IP is not routable from the Internet; therefore, we could not use 172.32.0.11 to access the server directly from the Internet.

AWS Linux root account access ‘ec2-user’

‘ec2-user’ is the most powerful account, which allows you to do everything possible with the server. The super account is also called root account in Linux world. We shall NEVER use root account to perform daily work. Just imagine the following scenarios:

  • if we have multiple users share the root account access, and one user messes up the environment, we cannot identify who did this; or perhaps bad guy gains access to the root account;
  • root account grants super power. A user shall only be assigned with permissions necessary to perform daily work. It protects the system as well as the user, as he/she is less likely to accidentally execute commands out of his/her duties.

Create New User on Linux with Public Key Access

We will follow the steps below to create a Linux user, user01, and grant him/her public key access. The Linux admin shall obtain the public key from user01 prior to the following activities. The user shall NEVER give anyone his/her private key, which is no difference from giving your home key or bank account credential to others.

See SSH Public Key Authentication to Access Linux (2) on how a user creates a public and private key pair using PuttyGen.

See SSH Public Key Authentication to Access Linux (1) on what is a public and private key pair.

Steps for the Linux admin to create a user account with public key access:

  1. Create new user account;
  2. Create directory and file to store the user’s public key;
  3. Change the key directory and file permission, so that only the user has access to the directory and the file. When the user access to the server, he/she can use own private key to unlock the public key.

Commands to create a new user on Linux

This section includes the complete configuration to create a new user on Linux with public key authentication. The next section includes verification commands and screenshots. Step-by-step verification is extremely important, which tests our understanding on what we are doing and saves us troubleshooting time if configuration does not work.

Commands to verify user creation on Linux

All user information are in /etc/passwd file. We can use the following command to check users. See Kiwibooks for ‘Cut’ command details. In short, cut -f1 means display the first field of each line of the given file. -d: means using : as the field deliminator.

Verify user accounts

List user home directories. ‘ls’ means list, ‘-la’ is to list the files, one in a line, under the given directory; and show all sub-directories and files. Without ‘a’ parameter, hidden files stay unrevealed.

Verify user home directory

After executing ‘sudo su user01’, we switch to ‘user01’, not ‘ec2-user’ anymore. It shows user01@ip-xxx-xxx-xxx-xxx now as below:

Swtich to user01

Use ‘pwd’ to verify current directory. We change directory from ‘/home/ec2-user’ to ‘/home/user01’. So that we can put files directly in user01’s home folder.

Verify current directory

Create hidden directory .ssh using mkdir command, and verify the hidden directory by using ‘ls -la’ command. ‘a’ parameter means all directories and files, including hidden ones. hidden directory will not be shown without ‘a’. Purple, e.g. ‘.ssh’, indicates it is a directory; while white, e.g. ‘.bash_logout’, is a file.

ls -la to list hidden directories and files

Modify .ssh directory permission to 700 and use ‘ls -la’ to verify the permission changes from drwxrwxr-x to drwx—— which means only the owner, user01, can read, write and execute the directory.

Modify .ssh directory permission to 700

Create the ‘authorized_keys’ file under ‘.ssh’ directory. Verify file content by using ‘cat ~/.ssh/authorized_keys’.

Verify the public key file content

Modify the user’s public key file, i.e. ‘authorized_keys’, permission to 600, which means only the user can read and write the file.

Modify the public key file permission 600

User Access to Linux Server Using Private Key

Open Putty and access the AWS Linux instant using user01 account as screenshot below:

Use Putty to access Linux server as user01-1

Include the user01′ private key for authentication (Step 2, 3 and 4 in Screenshot below), which is to unlock the user01’s public key, which was installed in the user account by the Linux admin before.

Use Putty to access Linux server as user01 – 2

Upon user01 logon, the following screen shows. User01 shall use his/her own account for the server access instead of using the root account, that is ec2-user. User01 also has limited access permission and can only manage own folders and files.

user01 access to Linux server

This is the end of the ‘SSH Public Key Authentication to Access Linux’ series.

COMMENTS

WORDPRESS: 0
DISQUS: 0