Versions Compared

Old Version 5

changes.mady.by.user Tristen Lawrence

Saved on

compared with

New Version 6

changes.mady.by.user Prateek Kapoor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Best Practices

  • Utilize SSH keys instead of passwords for authentication

  • Create new user accounts instead of utilizing the root account

  • Do not elevate to root unless it is truly needed

Expand
titleLinux

Using spinup-user CLI

The spinup-user command-line utility should be pre-installed on all Spinup Linux servers and can be used to easily add and remove users.

For example, on one of my servers I need to add user jsi3. I just need their public SSH key (which is not sensitive and can be safely shared) and I can then create the user like so:

Note

When you are done pasting in one or more SSH public keys, you must hit Enter TWICE

Code Block
[tg333@ip-10-5-32-247 ~]$ sudo spinup-user add jsi3
Paste one or more SSH public keys for this user (hit Enter when done):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDhU7Ucb/4AdGjtTrDZfGexJyLFxngErqWyv9Ryix8scdEOJxC/qWJiBOxasQp5fjF+ZDf5OIXgBrtd7xvJT+Lr+p65hE7EX0KL+JAWPibr0E1b0Gw9mTwAIutPA9u5tt6btmWbPUJXWifft8wgq6aIoqsg/sAzmiEHEJiL17fp7LXwjwDsxzYfskLX58uVIVqyMW5da81CNcqAPavlrGq1p1hd/+8i/2m8ql0VHnAOMdqQz5tmGY6N7F/AbtSLDaki7XTS6vQZUc5wr3ZHIe6wuQhk82/VVWoNjlxOjhwBItE0Tb7bCDkMgZ0RMymmpl/T5ioyyZmYQjmP3Xmdhdsb

Added user jsi3

You can use the list command to see all users on the server and get more information about them:

Code Block
[tg333@ip-10-5-32-247 ~]$ sudo spinup-user list
jsi3
tg333 (admin)

[tg333@ip-10-5-32-247 ~]$ sudo spinup-user list jsi3
Username: jsi3
Admin: false
Shell: /bin/bash
Homedir: /home/jsi3
UID: 1002
GID: 1002

Authorized keys:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDhU7Ucb/4AdGjtTrDZfGexJyLFxngErqWyv9Ryix8scdEOJxC/qWJiBOxasQp5fjF+ZDf5OIXgBrtd7xvJT+Lr+p65hE7EX0KL+JAWPibr0E1b0Gw9mTwAIutPA9u5tt6btmWbPUJXWifft8wgq6aIoqsg/sAzmiEHEJiL17fp7LXwjwDsxzYfskLX58uVIVqyMW5da81CNcqAPavlrGq1p1hd/+8i/2m8ql0VHnAOMdqQz5tmGY6N7F/AbtSLDaki7XTS6vQZUc5wr3ZHIe6wuQhk82/VVWoNjlxOjhwBItE0Tb7bCDkMgZ0RMymmpl/T5ioyyZmYQjmP3Xmdhdsb

Note that by default the new user does not have admin (sudo) privileges. To make an admin user you can use the -a flag. Be careful who you make an admin as they will have unlimited root access on the server!

Code Block
[tg333@ip-10-5-32-247 ~]$ sudo spinup-user add jsi3 -a

To delete a user and their home directory:

Code Block
[tg333@ip-10-5-32-247 ~]$ sudo spinup-user remove jsi3
Removed user jsi3

This is just a brief overview of how to use the CLI. For more information and examples you can see the Github repo https://github.com/YaleSpinup/spinup-user

Manual step-by-step guide

If for some reason you cannot use the spinup-user CLI you can manually create a Linux user.

Code Block
$ sudo -s
$ NEWUSER=<netid of person you would like to add>  #Variable that is used in future commands
$ adduser $NEWUSER
$ gpasswd -a $NEWUSER wheel  #If you would like to give them root access
$ mkdir -m 700 /home/$NEWUSER/.ssh
$ echo "User's PUBLIC key" > /home/$NEWUSER/.ssh/authorized_keys
$ chmod 600 /home/$NEWUSER/.ssh/authorized_keys
$ chown -R $NEWUSER:$NEWUSER /home/$NEWUSER/.ssh
$ restorecon -FRvv /home/$NEWUSER/.ssh  #Required if Selinux is running on the server
code
$ sudo -s
$ NEWUSER=<netid of person you would like to add>  #Variable that is used in future commands
$ adduser $NEWUSER
$ usermod -aG sudo $NEWUSER  #If you would like to give them root access
$ mkdir -m 700 /home/$NEWUSER/.ssh
$ echo "User's PUBLIC key" > /home/$NEWUSER/.ssh/authorized_keys
$ chmod 600 /home/$NEWUSER/.ssh/authorized_keys
$ chown -R $NEWUSER:$NEWUSER /home/$NEWUSER/.ssh
$ restorecon -FRvv /home/$NEWUSER/.ssh  #Required if Selinux is running on the server
 Expand
titleWindows
  1. Once logged into the computer, right-click on the Start button and select System.
  1. On System settings screen, select "Remote settings" on the left-hand side. In Windows 2019, you will instead select "Remote Desktop" on the left side.
Image RemovedImage RemovedImage AddedImage Added
  1. Click the Select Users button on the resulting dialog. On Windows 2019, you will instead scroll to the bottom of the screen and click "Select users that can remotely access this PC".
Image RemovedImage Added
  1. Click Add button on Remote Desktop Users dialog box.
Image RemovedImage Added
  1. Type the NetID of the user you want to add and click "Check Names". Their netID should expand to show their full account name/e-mail address. Now you can click OK and exit out of the previous dialog boxes.
  1. New user should now be able to log in!
  2. Note: Users of servers in Secured spaces may get the error "Logon failure: the user has not been granted the requested logon type at this computer". If that occurs, you will need to follow the additional steps below. If you do not have a CIS-hardened server as part of a moderate- or high-risk space, the steps below should not be needed. 
  3. Search for and go to "Local Security Policy" under the Windows Start Menu
  1. Expand Local Policies in the left-hand pane, then click on the User Rights Assignment folder. Lastly, double-click on "Allow log on locally" in the right-hand pane.
  1. Type "Remote Desktop Users", then click Check Names. The Group name of "Remote Desktop Users" should become underlined. Click OK, OK, and exit the Local Security Settings manager.
  1. User should now be able to login.
...