Create a new SSH user on Ubuntu Server
Solution 1
Edit (as root) /etc/ssh/sshd_config
. Append the following to it:
Port 1234
PermitRootLogin no
AllowUsers jim
Port 1234
causes SSH to listen on port 1234. You can use any unused port from 1 to 65535. It's recommended to choose a privileged port (port 1-1024) which can only be used by root. If your SSH daemon stops working for some reason, a rogue application can't intercept the connection.
PermitRootLogin
disallows direct root login.
AllowUsers jim
allows user jim
to login through SSH. If you do not have to login from everywhere, you can make this more secure by restricting jim to an IP address (replace 1.2.3.4 with your actual IP address):
AllowUsers [email protected]
Changes to the configuration file /etc/ssh/sshd_config
are not immediately applied, to reload the configuration, run:
sudo service ssh reload
Solution 2
SSH is very picky about the directory and file permissions. Make sure that:
- The directory /home/username/.ssh has permission "700" and is owned by the user (not root!)
- The /home/username/ssh/authorized_keys has permission "600" and is owned by the user
Copy your public key into the authorized_keys file.
sudo chown -R username:username /home/username/.ssh
sudo chmod 0700 /home/username/.ssh
sudo chmod 0600 /home/username/.ssh/authorized_keys
There is NO need to add the user to /etc/ssh/ssh_config.
Solution 3
There will be clues in /var/log/auth.log
for why SSH (or PAM) is rejecting the login attempt. Additional clues may be found by using the -v
option with the ssh client. Several common situations, some mentioned in the other answers:
- the user account lacks a password, or is otherwise disabled (see
man passwd
, try resetting the password or checking the contents of/etc/shadow
). /etc/ssh/sshd_config
is configured to disallow the login (DenyUsers
,AllowUsers
,PasswordAuthentication
,PubkeyAuthentication
,UsePAM
etc, seeman sshd_config
).- the user's shell is not listed in
/etc/shells
. - various permission problems on directories or files related to SSH operation:
/etc/ssh
,/home/jim/.ssh
,/home/jim/.ssh/*
, etc.
I'd also recommend using adduser (instead of useradd) for adding new users; it is a little more friendly about various default account settings.
As long as the user is not part of the admin
group, they will not be able to sudo to root. For them to use su, you will need to set a root password (passwd root
), after which I recommend setting PermitRootLogin=no
in /etc/ssh/sshd_config
.
Solution 4
I could be wrong but I always have to install the server daemon before I can connect (At least on desktop) ssh is installed by default but that is just the client
this command installs the server
sudo apt-get install openssh-server
You can change the port and stop root login by editing
/etc/ssh/sshd_config
This requires you to restart the service though.
sudo service ssh restart
Solution 5
Jim will not have SSH access until you have set a password. As root execute:
grep -i "jim" /etc/shadow | awk -F':' '{ print $2 }'
If this command returns a "!" character then login is disabled for this account. Executing passwd jim
as root will prompt you for a new and confirmed password string after which the grep command above should return a hashed string representing the password for jim.
Also be sure to verify that jim has a login shell, set by default, and a home directory that exists.
Please note lekensteyn's post for information on modifying SSH server settings.
Related videos on Youtube
Oli
Hi, I'm Oli and I'm a "full-stack" web-dev-op. Eurgh. I'm also allergic to jargon BS. I spend most of my professional time writing Django websites and webapps for SMEs. I write a lot of Python outside of Django sites too. I administer various Linux servers for various tasks. I contribute to the open source projects that I use when I can. I'm a full-time Linux user and that has lead to helping other people live the dream. I am an official Ubuntu Member and I earnt my ♦ on SE's own Ask Ubuntu in 2011's moderator election. That's probably where I spend most of my unpaid time. I also run thepcspy.com which has been my place to write for the last decade or so. If you need to contact me for extended help, you can do so via my website, just remember that I have bills so if I feel your request is above and beyond normal duty, I might ask for remuneration for one-on-one support. For more social contact, you can usually find me (or just my computer) lurking in the Ask Ubuntu General Chat Room and on Freenode in #ubuntu and #ubuntu-uk under the handle Oli or Oli``.
Updated on September 17, 2022Comments
-
Oli almost 2 years
Just created a new virtual Ubuntu server and I'm in the process of hardening it for production use. I currently have a root account. I want to do the following:
- Create a new user (let's call them
jim
for the rest of this). I want them to have a/home/
directory. - Give
jim
SSH access. - Allow
jim
tosu
to root but not performsudo
operations. - Turn off root SSH access.
- Move SSHd off to a non-standard port to help stop brute-attacks.
My problem lies with the first two items. I've already found
useradd
but for some reason, I can't log in as a user created with it over SSH. Do I need to beat SSHd to allow this?-
Admin over 13 yearsHi! I can help you in servers, I don't know what is your problem with SSH, because for me with default config never refuses my connection. You may see man 5 nologin, this writes, that if /etc/nologin exists, you can log in with root only. Try login normally, then write the results.
-
Admin over 13 yearsWhat's the user's shell? Is it /bin/bash? Check that out in /etc/password. Make sure it's not /dev/null or /bin/false.
-
Admin over 13 yearsYes LFC_fan, or /etc/nologin too. Use (sudo) cat /etc/passwd | grep jim
-
Admin over 13 years@B. Roland I do have a
/etc/nologin
file but it's empty. I deleted it and restarted ssh but it's still just respondingPermission denied, please try again.
when I try and log in. -
Admin over 13 years@LFC_fan it's /bin/bash
-
Admin over 13 yearsHere's the passwd line:
jimx:1000:1000::/home/jim:/bin/bash
-
Admin over 13 yearsDid you make a typo? There should really be a
:
betweenjim
andx
. Why would you allowsu
to root, but disallowsudo
? -
Admin over 13 yearsLekensteyn: yeah it's a typo. User isn't really called
jim
so I've been editing it.. Obviously got carried away there. -
Admin over 13 yearsCan you clarify your third point? Why would you allow root with su, but disallow sudo?
- Create a new user (let's call them
-
Oli over 13 yearsThis is a virtual server (VPS) so SSH is installed by default. It's my only interface to the server. And you can reload configuration via
sudo /etc/init.d/ssh reload
instead, but good information nonetheless. -
vishal.biyani almost 11 yearsThanks a lot for great answer- specially "adduser" helped a lot!
-
JRG-Developer over 10 years+1: Note: these instructions are still applicable to newer versions of Ubuntu (e.g. 13.04). If you do want
root
login, however, (perhaps you're still setting up the server), you must setPermitRootLogin
toyes
and also addroot
toAllowUsers
. -
Gerve about 10 yearsMy problem was chown, I created
~./ssh
as root and never gave the user ownership. -
Alex W about 9 yearsMy problem was that I was trying to use
/root/.ssh/authorized_keys
instead of/home/bob/.ssh/authorized_keys
. -
superjos about 9 yearsI can confirm: on our VPS hosting there was no need to edit
ssh_config
. Setting up that directory and file was enough. -
Wolfpack'08 over 8 yearswhat's the password for this user?
-
Lekensteyn over 8 years@Wolfpack'08 The
PermitRootLogin no
option works exactly as advertised and applies to all logins on any port. -
Wolfpack'08 over 8 years@Lekensteyn I've found just adding a new user to Ubuntu itself creates an ssh account for that user....
useradd -m -G sudo,adm -s /bin/bash mecharok
andpasswd mecharok
-
Lekensteyn over 8 years@Wolfpack'08 Use
AllowUsers username1,username2
to restrict SSH logins to those users. Ensure thatsshd
is reloaded. If this does not help, please create a new question. -
Jim W says reinstate Monica over 7 yearsFor me it had to be chmod 755 /home/username/.ssh otherwise it wouldn't work.
-
bfontaine about 7 years"If this command returns a "!" character then login is disabled for this account" Note this doesn’t mean you can’t SSH; only that you can’t do it with a password (vs. with your public key).
-
B. Shea over 6 yearsIf SSH area not created when adding user ->
sudo su --login jim
and then executessh-keygen
(creates ".ssh" directory & id_rsa and id_rsa.pub for new user Jim - with proper permissions) OP may also want to restrict private key usage with a password here as well. Or, conversely, if you use 'puttygen' to create private key, you can create it with a password. (Then copy bit it tells you toauthorized_keys
). -
B. Shea over 6 yearsMuch easier to login as user (or
sudo su --login {user}
) and runssh-keygen
-> The ".ssh" folder, key+cert and permissions are completed. Just create authorized_keys as per your instructions. -
Admin over 6 yearsyou should improve your answer by referencing to a source that better explains your example or by adding relevant information basing your example on OP's original question. for example, the user specified
jim
as a dummy user to help provide context. the article here explains it well. -
Ravi Soni about 6 yearsCan I restrict user to particular dir access ?
-
Ladenkov Vladislav over 5 yearsactually, you don't need to do the
/etc/ssh/sshd_config
modification -
İsmail Atkurt over 5 yearsI understand your pain :D I had the same issue once. Solution:
AllowUsers existingUser@* newUser@*
-
kolaworld about 4 years@Lekensteyn your command:
AllowUsers username1,username2
has the wrong format and will lock you out of your server!! The correct command to set is:AllowUsers username1 username2
-
Mark B over 2 yearsD'oh! - watch out for: *****and is owned by the user (not root!)*****
-
Admin about 2 yearsFor newbies like me, looks like
sshd
allows all users by default, so only do this if you want to restrict to a subset of users? From the man page: "By default, login is allowed for all users" (man.openbsd.org/sshd_config#AllowUsers)