we will create a new user (user01) on an AWS Linux server (EC2), install the user's public key so that the user can use his/her private key to access the Linux server. It is about Linux user account creation and user access authentication using public/private key pair, instead of password to authenticate.
We generated a public and private key pair in SSH Public Key Authentication to Access Linux (2). In this post, we will create a new user (user01) on an AWS Linux server (EC2), install the user’s public key so that the user can use his/her private key to access the Linux server. It is about Linux user account creation and user access authentication using public/private key pair, instead of password to authenticate.
About AWS and Learning
AWS provides 12 months free virtual server (EC2), which we can use to quickly setup our Windows or Linux lab. AWS free tier details are available from https://aws.amazon.com/free/?all-free-tier.sort-by=item.additionalFields.SortRank&all-free-tier.sort-order=asc
AWS EC2 User Guide is available from: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts.html
If you are interested in receiving AWS training, there are plenty excellent courses on Udemy. The one I am watching is the AWS Certified Developer Associate https://www.udemy.com/aws-certified-developer-associate-dva-c01/.
If you are an Australian user, you may also register Cashrewards (online shopping cashback site) and procure Udemy courses from there, which gives you further 10% cashback. My Cashrewards referral link is https://refer.cashrewards.com.au/x/FKxM7Y so that you get A$5 and I get A$5, thanks :p
Use Putty to Connect to AWS Linux
We use Putty to SSH to AWS Linux server. Enter the public IP of our AWS Linux server (Step 1 in Screenshot below), so that we can reach across Internet from home computer; and ‘ec2-user’ as username. ‘ec2-user’ is the AWS Linux server root account.
We then refer to/include the private key , that we downloaded when creating the AWS EC2 instance.
In Putty, select SSH, Auth, browse to our private key file for ‘ec2-user’ authentication (Step 2, 3 and 4 in Screenshot below). We may also ‘Save’ the connection session, so that we can simply double click the saved Putty connection ‘AltairX AWS Lab’ to access our Linux server in future, no need to enter username, IP and private key again.
Upon logon the Linux server, we saw the following screen, where 220.127.116.11 is our server private IP. AWS does the public IP and private IP mapping for us. Private IP is not routable from the Internet; therefore, we could not use 18.104.22.168 to access the server directly from the Internet.
‘ec2-user’ is the most powerful account, which allows you to do everything possible with the server. The super account is also called root account in Linux world. We shall NEVER use root account to perform daily work. Just imagine the following scenarios:
- if we have multiple users share the root account access, and one user messes up the environment, we cannot identify who did this; or perhaps bad guy gains access to the root account;
- root account grants super power. A user shall only be assigned with permissions necessary to perform daily work. It protects the system as well as the user, as he/she is less likely to accidentally execute commands out of his/her duties.
Create New User on Linux with Public Key Access
We will follow the steps below to create a Linux user, user01, and grant him/her public key access. The Linux admin shall obtain the public key from user01 prior to the following activities. The user shall NEVER give anyone his/her private key, which is no difference from giving your home key or bank account credential to others.
See SSH Public Key Authentication to Access Linux (2) on how a user creates a public and private key pair using PuttyGen.
See SSH Public Key Authentication to Access Linux (1) on what is a public and private key pair.
Steps for the Linux admin to create a user account with public key access:
- Create new user account;
- Create directory and file to store the user’s public key;
- Change the key directory and file permission, so that only the user has access to the directory and the file. When the user access to the server, he/she can use own private key to unlock the public key.
Commands to create a new user on Linux
This section includes the complete configuration to create a new user on Linux with public key authentication. The next section includes verification commands and screenshots. Step-by-step verification is extremely important, which tests our understanding on what we are doing and saves us troubleshooting time if configuration does not work.
# create new user user01. sudo means superuser do, using admin privilege to execute the add user command. It creates the user account, user01, and provisions the user home directory /home/usr01. The user can only manages his/her home directory by default.
sudo adduser user01
# act as if the user, so that no need to change directory and file ownership from ec2-user to user01.
sudo su user01
# change the directory from ec2-user home directory to user01 home directory. You don't need the superuser power (sudo) from now on because you are acting as if user01 and have full control on user01 directory.
# create a hidden directory .ssh in /home/user01. dot means it is hidden directory; mkdir means make directory.
# change the .ssh directory permission to 700. .ssh changed from original drwxrwxr-x to drwx------. It means the directory is on accessible by its owner, user01.
chmod 700 .ssh
# create a file called 'authorized_key' under .ssh directory and paste user01 public key in the file. ~ means current directory. nano is Linux text editor, you may also use vim, another Linux text editor.
# change the ~/.ssh/authorized_key file permission to 600, which means only the file owner user01 can read and write the file.
chmod 600 ~/.ssh/authorized_keys
Commands to verify user creation on Linux
All user information are in /etc/passwd file. We can use the following command to check users. See Kiwibooks for ‘Cut’ command details. In short, cut -f1 means display the first field of each line of the given file. -d: means using : as the field deliminator.
cut -d: -f1 /etc/passwd
List user home directories. ‘ls’ means list, ‘-la’ is to list the files, one in a line, under the given directory; and show all sub-directories and files. Without ‘a’ parameter, hidden files stay unrevealed.
After executing ‘sudo su user01’, we switch to ‘user01’, not ‘ec2-user’ anymore. It shows user01@ip-xxx-xxx-xxx-xxx now as below:
Use ‘pwd’ to verify current directory. We change directory from ‘/home/ec2-user’ to ‘/home/user01’. So that we can put files directly in user01’s home folder.
Create hidden directory .ssh using mkdir command, and verify the hidden directory by using ‘ls -la’ command. ‘a’ parameter means all directories and files, including hidden ones. hidden directory will not be shown without ‘a’. Purple, e.g. ‘.ssh’, indicates it is a directory; while white, e.g. ‘.bash_logout’, is a file.
Modify .ssh directory permission to 700 and use ‘ls -la’ to verify the permission changes from drwxrwxr-x to drwx—— which means only the owner, user01, can read, write and execute the directory.
Create the ‘authorized_keys’ file under ‘.ssh’ directory. Verify file content by using ‘cat ~/.ssh/authorized_keys’.
Modify the user’s public key file, i.e. ‘authorized_keys’, permission to 600, which means only the user can read and write the file.
User Access to Linux Server Using Private Key
Open Putty and access the AWS Linux instant using user01 account as screenshot below:
Include the user01′ private key for authentication (Step 2, 3 and 4 in Screenshot below), which is to unlock the user01’s public key, which was installed in the user account by the Linux admin before.
Upon user01 logon, the following screen shows. User01 shall use his/her own account for the server access instead of using the root account, that is ec2-user. User01 also has limited access permission and can only manage own folders and files.
This is the end of the ‘SSH Public Key Authentication to Access Linux’ series.