In general, all OCI Linux servers created with OPC user by default, which has super privileges and can be used by admin users only. If you would like provision access to developers on Linux server, we need to create new users and will see the process below how to create and access them.
High level plan to create and new user:
1. Generate SSH key pairs for the users offline.
2. Add the new users.
3. Append a public key to the ~/.ssh/authorized_keys file for each new user.
2. Add the new users.
3. Append a public key to the ~/.ssh/authorized_keys file for each new user.
Detailed steps:
The new users then can SSH to the instance using the appropriate private keys.
To create an additional SSH-enabled user:
1. Generate an SSH key pair for the new user.
To create an additional SSH-enabled user:
1. Generate an SSH key pair for the new user.
2. Copy the public key value to a text file for use later in this procedure.
3. Log in to the instance.
4. Become the root user:
sudo su
5. Create the new user:
useradd <new_user>
useradd <new_user>
6. Create a .ssh directory in the new user’s home directory:
mkdir /home/<new_user>/.ssh
mkdir /home/<new_user>/.ssh
7. Copy the SSH public key that you saved to a text file into the /home/new_user/.ssh/authorized_keys file:
echo <public_key> > /home/<new_user>/.ssh/authorized_keys
echo <public_key> > /home/<new_user>/.ssh/authorized_keys
8. Change the owner and group of the /home/username/.ssh directory to the new user:
chown -R <new_user>:<group> /home/<new_user>/.ssh
chown -R <new_user>:<group> /home/<new_user>/.ssh
9. To enable sudo privileges for the new user, run the visudo command and edit the /etc/sudoers file as follows:
a. In /etc/sudoers, look for:
%<username> ALL=(ALL) NOPASSWD: ALL
a. In /etc/sudoers, look for:
%<username> ALL=(ALL) NOPASSWD: ALL
b. Add the following line immediately after the preceding line:
%<group> ALL=(ALL) NOPASSWD: ALL
%<group> ALL=(ALL) NOPASSWD: ALL
The new user can now sign in to the instance.
I was able to create new user and followed all above steps as is and tried to login with new user, and I got below error message.
"Server refused our key"
"No supported authentication methods available (server sent: publickey.gssapi-keyex.gassapi-with-mic)".
"No supported authentication methods available (server sent: publickey.gssapi-keyex.gassapi-with-mic)".
After couple of hours research, found 2 issues.
Issue-1:
/home/<new user>/.ssh folder doesn't have 700 permissions and it has 755, changed .ssh folder permissions to 700.
Issue-2:
/home/new_user/.ssh/authorized_keys file suppose to have 600 permissions, but it was 755, changed back to 600.
Now you were able to login the linux server with new user.
No comments:
Post a Comment