How to add new users on Linux?

Problem:

I need to add a new user to a Linux server

Linux servers in Spinup use regular SSH authentication (password authentication has been disabled for security reasons). In addition, high-risk servers require Duo multi-factor authentication when logging in.

By default only the user who created a server can SSH into it using their netid and SSH key specified in their Spinup profile. 

Using spinup-user CLI

The spinup-user command-line utility should be pre-installed on all Spinup Linux servers and can be used to easily add and remove users.


For example, on one of my servers I need to add user jsi3. I just need their public SSH key (which is not sensitive and can be safely shared) and I can then create the user like so:

[tg333@ip-10-5-32-247 ~]$ sudo spinup-user add jsi3
Paste one or more SSH public keys for this user (hit Enter when done):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDhU7Ucb/4AdGjtTrDZfGexJyLFxngErqWyv9Ryix8scdEOJxC/qWJiBOxasQp5fjF+ZDf5OIXgBrtd7xvJT+Lr+p65hE7EX0KL+JAWPibr0E1b0Gw9mTwAIutPA9u5tt6btmWbPUJXWifft8wgq6aIoqsg/sAzmiEHEJiL17fp7LXwjwDsxzYfskLX58uVIVqyMW5da81CNcqAPavlrGq1p1hd/+8i/2m8ql0VHnAOMdqQz5tmGY6N7F/AbtSLDaki7XTS6vQZUc5wr3ZHIe6wuQhk82/VVWoNjlxOjhwBItE0Tb7bCDkMgZ0RMymmpl/T5ioyyZmYQjmP3Xmdhdsb

Added user jsi3


You can use the list command to see all users on the server and get more information about them:

[tg333@ip-10-5-32-247 ~]$ sudo spinup-user list
jsi3
tg333 (admin)

[tg333@ip-10-5-32-247 ~]$ sudo spinup-user list jsi3
Username: jsi3
Admin: false
Shell: /bin/bash
Homedir: /home/jsi3
UID: 1002
GID: 1002

Authorized keys:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDhU7Ucb/4AdGjtTrDZfGexJyLFxngErqWyv9Ryix8scdEOJxC/qWJiBOxasQp5fjF+ZDf5OIXgBrtd7xvJT+Lr+p65hE7EX0KL+JAWPibr0E1b0Gw9mTwAIutPA9u5tt6btmWbPUJXWifft8wgq6aIoqsg/sAzmiEHEJiL17fp7LXwjwDsxzYfskLX58uVIVqyMW5da81CNcqAPavlrGq1p1hd/+8i/2m8ql0VHnAOMdqQz5tmGY6N7F/AbtSLDaki7XTS6vQZUc5wr3ZHIe6wuQhk82/VVWoNjlxOjhwBItE0Tb7bCDkMgZ0RMymmpl/T5ioyyZmYQjmP3Xmdhdsb


Note that by default the new user does not have admin (sudo) privileges. To make an admin user you can use the -a flag. Be careful who you make an admin as they will have unlimited root access on the server!

[tg333@ip-10-5-32-247 ~]$ sudo spinup-user add jsi3 -a


To delete a user and their home directory:

[tg333@ip-10-5-32-247 ~]$ sudo spinup-user remove jsi3
Removed user jsi3


This is just a brief overview of how to use the CLI. For more information and examples you can see the Github repo https://github.com/YaleSpinup/spinup-user


Manual step-by-step guide

If for some reason you cannot use the spinup-user CLI you can manually create a Linux user.


Centos
$ sudo -s
$ NEWUSER=<netid of person you would like to add>  #Variable that is used in future commands
$ adduser $NEWUSER
$ gpasswd -a $NEWUSER wheel  #If you would like to give them root access
$ mkdir -m 700 /home/$NEWUSER/.ssh
$ echo "User's PUBLIC key" > /home/$NEWUSER/.ssh/authorized_keys
$ chmod 600 /home/$NEWUSER/.ssh/authorized_keys
$ chown -R $NEWUSER:$NEWUSER /home/$NEWUSER/.ssh
$ restorecon -FRvv /home/$NEWUSER/.ssh  #Required if Selinux is running on the server


Ubuntu
$ sudo -s
$ NEWUSER=<netid of person you would like to add>  #Variable that is used in future commands
$ adduser $NEWUSER
$ usermod -aG sudo $NEWUSER  #If you would like to give them root access
$ mkdir -m 700 /home/$NEWUSER/.ssh
$ echo "User's PUBLIC key" > /home/$NEWUSER/.ssh/authorized_keys
$ chmod 600 /home/$NEWUSER/.ssh/authorized_keys
$ chown -R $NEWUSER:$NEWUSER /home/$NEWUSER/.ssh
$ restorecon -FRvv /home/$NEWUSER/.ssh  #Required if Selinux is running on the server


Best Practices

  • Utilize SSH keys instead of passwords for authentication
  • Create new user accounts instead of utilizing the root account
  • Do not elevate to root unless it is truly needed