Basic User Admin in an Ubuntu Linode

Comments

Some simple user admin on an Ubuntu Linode VPS server.

Create an admin user on my linode

New Linodes come with no users except for root by default. Having a root user with ssh access is always a bad idea, because it is an obvious account to guess the password of. Better to have a separate account with a non-obvious name, so potential attackers would have to guess both. Before creating a new account though, I changed the settings all new users.

Changing default settings for new users on Ubuntu

The commands below change the default prompt, editor, shell, and added a little command history navigation thing.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
#change the default shell new users get
$ useradd -D -s /bin/bash

# love this trick - type the beginning of a command, say "useradd" then use the up / down
# key, and only see commands from your history that start with "useradd"
$ nano /etc/skel/.inputrc
"\e[A": history-search-backward
"\e[B": history-search-forward

# change the prompt to one I like better and use nano as default editor
$ nano /etc/skel/.bash_profile
export EDITOR=nano

if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
    # We have color support; assume it's compliant with Ecma-48
    # (ISO/IEC-6429). (Lack of such support is extremely rare, and such
    # a case would tend to support setf rather than setaf.)
    color_prompt=yes
else
    color_prompt=
fi

if [ "$color_prompt" = yes ]; then
    export PS1="\n[\t] \[\033[01;32m\]\u@\H\[\033[00m\]:\$PWD\n"
else
    export PS1="\n[\t] \u@\H:\$PWD\n"
fi
unset color_prompt

# enable color support of ls and also add handy aliases
if [ -x /usr/bin/dircolors ]; then
    test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
    alias ls='ls --color=auto'
    #alias dir='dir --color=auto'
    #alias vdir='vdir --color=auto'

    alias grep='grep --color=auto'
    alias fgrep='fgrep --color=auto'
    alias egrep='egrep --color=auto'
fi

Creating new users on Ubuntu

The following creates the new user and sets its password. The -m creates the home folder.

1
2
3
4
5
6
$ useradd -m -g admin ME
$ passwd ME
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
$ exit

I then log in as the new user with

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
$ ssh ME@example.com
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.5.2-linode45 i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Sat Sep 22 23:43:20 CEST 2012

  System load:  0.0               Processes:           78
  Usage of /:   3.2% of 18.89GB   Users logged in:     1
  Memory usage: 41%               IP address for eth0: 109.74.203.184
  Swap usage:   0%

  Graph this data and manage this system at https://landscape.canonical.com/

0 packages can be updated.
0 updates are security updates.

# while I am here, I create a directory I will need later
$ mkdir ~/.ssh
$ chmod 700 ~/.ssh
$ exit

Logging in with SSH keys

SSH public key authentication is a safer alternative to passwords, which are often under brute force attacks. Additionally you can set it up so that you don’t have to enter any password at all to connect to your server.

Setting up SSH keys

I run the following in Termnial on my machine. I save the key in a custom file as I have other keys for other purposes.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# generates the keys in custom files
$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/ME/.ssh/id_rsa): /Users/ME/.ssh/CUSTOM_FILENAME
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/ME/.ssh/CUSTOM_FILENAME.
Your public key has been saved in /Users/ME/.ssh/CUSTOM_FILENAME.pub.
The key fingerprint is:
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx ME@MY_MACHINE
The key's randomart image is:
+--[ RSA 2048]----+
|  . . . . . . .  |
|  . . . . . . .  |
|  . . . . . . .  |
|  . . . . . . .  |
|  . . . . . . .  |
|  . . . . . . .  |
|  . . . . . . .  |
|  . . . . . . .  |
|  . . . . . . .  |
+-----------------+

# add the custom file to the list of keys
$ ssh-add -K /Users/ME/.ssh/CUSTOM_FILENAME
Enter passphrase for /Users/ME/.ssh/CUSTOM_FILENAME:
Identity added: /Users/ME/.ssh/CUSTOM_FILENAME (/Users/ME/.ssh/CUSTOM_FILENAME)

This generates two keys, public and private. The private stays on my machine, and the public goes on the server. I do that with scp, from my local machine

1
2
3
4
5
# send the key to the server
scp /Users/ME/.ssh/CUSTOM_FILENAME.pub ME@EXAMPLE.COM:/home/ME/.ssh/uploaded_key.pub
# get onto the server and add the key to the list of authorized keys
# .ssh/ should exist, I created it earliern
ssh ME@EXAMPLE.COM "echo `cat ~/.ssh/uploaded_key.pub` >> ~/.ssh/authorized_keys"

It is also a good idea to change the following in /etc/ssh/sshd_config: (NOTE: it’s sshd_config with a ‘d’, not ssh_config which also exists)

1
2
3
PasswordAuthentication no
# ...
PermitRootLogin no

Meaning from now on my workstation is the only way to get into my machine (until I create new keys in other machines), and root canot login anymore.

More server hardening

It is a good idea to secure your VPS with a firewall at least. The Linode documentation is very good, and there are various sources around the web, such as How to secure an Ubuntu 12.04 LTS server.

Comments