How to create a new user in CentOS and enable key login

CentOS has only one root user by default, but the root user has too many permissions and is not conducive to multi-person collaboration. For reasons of permission management and security, we create a new user for the system and enable its SSH login, while disabling the root user's login;

Based on CentOS Linux release 7.6.1810 (Core) practice;

Create a new user

In CentOS, there is no difference between adduser and useradd :

[root@centos_7_6_1810 ~]# ll /usr/sbin/ | grep user
lrwxrwxrwx 1 root root 7 Jun 24 10:14 adduser -> useradd
-rwxr-xr-x. 1 root root 33104 Aug 3 2017 fuser
-rwxr-xr-x. 1 root root 15832 Apr 13 2018 lnewusers
-rwxr-xr-x. 1 root root 15752 Apr 13 2018 luseradd
-rwxr-xr-x. 1 root root 11576 Apr 13 2018 luserdel
-rwxr-xr-x. 1 root root 19896 Apr 13 2018 lusermod
-rwxr-xr-x 1 root root 76232 Mar 14 2019 newusers
-rwxr-xr-x 1 root root 33072 Mar 14 2019 runuser
-rwxr-xr-x. 1 root root 19720 Apr 11 2018 sasldblistusers2
-rwxr-x--- 1 root root 118224 Mar 14 2019 useradd
-rwxr-x--- 1 root root 80400 Mar 14 2019 userdel
-rwxr-x--- 1 root root 113856 Mar 14 2019 usermod
-rwsr-xr-x. 1 root root 11376 Oct 31 2018 usernetctl

From the above command, we can see adduser is just a soft link of useradd command;

Regarding soft links, you can temporarily think of them as shortcuts in the Windows system;

Use the useradd command to create a new user:

[root@centos_7_6_1810 ~]# useradd luizyao
[root@centos_7_6_1810 ~]# ls /home/
luizyao

In most Linux distributions, the useradd command does not create a corresponding user directory under /home/ . If you want to create one, you need to add the -m (--create-home) option to the command. However, CentOS will automatically create this user directory for us.

If we want to log in to the system with this username, we must set a password for it:

[root@centos_7_6_1810 ~]# passwd luizyao
Changing password for user luizyao.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

Then, we can log in to the system with this user:

[luizyao@centos_7_6_1810 ~]$ whoami
luizyao

Authorize new users

Normally, new users have full permissions in their own user directory (/home/luizyao/), and other directories require authorization from others. The most commonly used permissions are those of the root user, and sudo command can help us at this time: it allows trusted users to execute commands as other users, and the root user is used by default;

The new user is not in the trusted list, so we cannot use the root user to execute commands:

Note: At this point, log in to the system as a new user;

[luizyao@centos_7_6_1810 /]$ sudo whoami
[sudo] password for luizyao:
luizyao is not in the sudoers file. This incident will be reported.

In CentOS, we have two ways to add new users to the Sudoers list:

Note: At this point, log in to the system as root;

Method 1: Add the new user to the wheel user group

On RedHat distributions such as CentOS and Fedora, the user group wheel has been granted sudo privileges; therefore, we can add new users to the wheel user group to gain sudo privileges:

[root@centos_7_6_1810 ~]# groups luizyao
luizyao: luizyao
[root@centos_7_6_1810 ~]# usermod -aG wheel luizyao
[root@centos_7_6_1810 ~]# groups luizyao
luizyao : luizyao wheel

We use the usermod command to add the new user to the wheel user group. You can use the groups command to view the user groups to which the user belongs.

At this point, the new user can execute commands with root privileges:

[luizyao@centos_7_6_1810 root]$ sudo whoami
[sudo] password for luizyao:
root

Notice:

In this method, you need to enter the password of the new user to execute the sudo command, because this is the default configuration of the wheel user group, as shown below:

# /etc/sudoers

106 ## Allows people in group wheel to run all commands
107 %wheel ALL=(ALL) ALL
108
109 ## Same thing without a password
110 # %wheel ALL=(ALL) NOPASSWD: ALL

Remove a user from a group. You can use the following command:

[root@centos_7_6_1810 ~]# gpasswd -d luizyao wheel
Removing user luizyao from group wheel
[root@centos_7_6_1810 ~]# groups luizyao
luizyao: luizyao

Method 2: Add a new user to the sudoers list

In the /etc/sudoers file, you can configure sudo permissions for users and user groups. This is a more flexible approach. In addition, there are two ways to configure permissions for new users:

1. You can configure the permissions of the new user directly in the /etc/sudoers file, but please note that the default permission of this file is read-only, so you need to add write permission first, and then restore it to read-only after editing;

Please use the visodu command to modify the /etc/sudoers file, as it will help you check for syntax errors;

2. You can also add a dedicated configuration file for the new user in the /etc/sudoers.d directory (recommended):

bash [root@centos_7_6_1810 ~]# echo "luizyao ALL=(ALL) NOPASSWD:ALL" | tee /etc/sudoers.d/luizyao luizyao ALL=(ALL) NOPASSWD:ALL [root@centos_7_6_1810 ~]# ll /etc/sudoers.d/luizyao -rw-r--r-- 1 root root 32 Sep 17 17:51 /etc/sudoers.d/luizyao

The above command means that luizyao can execute any command (the third ALL) on any host (the first ALL) as any user (the second ALL, which defaults to root) without a password:

[luizyao@centos_7_6_1810 root]$ sudo whoami
root

Note: The name of the file can be anything, but we usually configure it to the username;

Enable SSH key login for new users

At this point, log in to the system as the new user;

Create a key pair:

[luizyao@centos_7_6_1810 ~]$ ssh-keygen -t ecdsa # Elliptic Curve Digital Signature Algorithm Generating public/private ecdsa key pair.
Enter file in which to save the key (/home/luizyao/.ssh/id_ecdsa): # Select the folder where the key pair is stored. Created directory '/home/luizyao/.ssh'.
Enter passphrase (empty for no passphrase): # Password for the private keyEnter same passphrase again: # Confirm the private key passwordYour identification has been saved in /home/luizyao/.ssh/id_ecdsa.
Your public key has been saved in /home/luizyao/.ssh/id_ecdsa.pub.
The key fingerprint is:
SHA256:FljQN9JFxB/C83Mv7N3rFNLCxXICRxaKzKDb+Tzsgwo luizyao@centos_7_6_1810
The key's randomart image is:
+---[ECDSA 256]---+
| .+.. B==. |
| .o* = X o |
| .. .* o B = |
| o .. . X .|
| . oS = =.|
| .+ = o|
| E .= . +.|
| . .... oo|
| .. .. .o.|
+----[SHA256]-----+

Download the private key to your local computer:

Based on Mac OS practice;

Use the scp command to download the private key:

yaomengdeMacBook-Air:~ yaomeng$ scp luizyao@<ip address>:/home/luizyao/.ssh/id_ecdsa ~/.ssh/

At this point, we still need a password to log in:

yaomengdeMacBook-Air:~ yaomeng$ ssh luizyao@<ip address>
Enter passphrase for key "/Users/yaomeng/.ssh/id_ecdsa": # Enter the private key password, login failed [email protected] password: # luizyao's user password Last login: Tue Sep 17 22:50:22 2019

SSH password-free login

Rename the public key to authorized_keys:

[luizyao@centos_7_6_1810 ~]$ mv ~/.ssh/id_ecdsa.pub ~/.ssh/authorized_keys
[luizyao@centos_7_6_1810 ~]$ ll ~/.ssh/
total 8
-rw-r--r-- 1 luizyao luizyao 185 Sep 17 22:58 authorized_keys
-rw------- 1 luizyao luizyao 314 Sep 17 22:58 id_ecdsa

Notice:

Because I didn’t have an authorized_keys file before, I just renamed it here; if you already have an authorized_keys file, you can use the following command to add the public key to the end of the file:

cat >> ~/.ssh/authorized_keys < ~/.ssh/id_ecdsa.pub

Note that if the authorized_keys file, ~/.ssh/ directory, or the user's home directory (/home/luizyao/) is given write permission to other users, sshd will determine that the file is unsafe and will not use it unless you have set StrictModes to no;

You can view the help documentation through the man sshd command:

~/.ssh/authorized_keys
   Lists the public keys (DSA, ECDSA, Ed25519, RSA) that can be used for logging in as this user. The format of this file is described above. The con
   tent of the file is not highly sensitive, but the recommended permissions are read/write for the user, and not accessible by others.

   If this file, the ~/.ssh directory, or the user's home directory are writable by other users, then the file could be modified or replaced by unauthorized users.
   rized users. In this case, sshd will not allow it to be used unless the StrictModes option has been set to “no”.

At this point, we can use SSH to log in without a password:

yaomengdeMacBook-Air:~ yaomeng$ ssh [email protected]
Enter passphrase for key "/Users/yaomeng/.ssh/id_ecdsa": # Private key password Last login: Wed Sep 18 00:00:41 2019 from 49.65.108.161

Disable SSH password login

Now, we can still log in with a password, which is still unsafe. Now we will prohibit the use of passwords to log in to the system;

For CentOS systems, you only need to modify PasswordAuthentication in the SSH configuration file /etc/ssh/sshd_config to no ;

Restart the SSH service:

[luizyao@centos_7_6_1810 ~]$ sudo systemctl restart sshd

We have disabled password login for SSH and only allow login with keys;

other

To further improve the security of the system, we can do something else:

Disable root user from logging in using SSH

Just modify PermitRootLogin in the SSH configuration file /etc/ssh/sshd_config to no , and then restart the SSH service;

Using an unconventional SSH port

The default SSH port is 22. We can change it to an uncommon port: modify Port value in the SSH configuration file /etc/ssh/sshd_config (for example: 10178), and then restart the SSH service;

We also need to modify the sshd configuration in the firewall. CentOS 7 uses firewalld by default. We configure it as follows:

Copy the default configuration file of firewalld about ssh to the system configuration folder:

[luizyao@centos_7_6_1810 ~]$ sudo cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/

Modify the port configuration in the configuration file:

<!-- /etc/firewalld/services/ -->

<?xml version="1.0" encoding="utf-8"?>
<service>
 <short>SSH</short>
 <description>Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.</description>
 <port protocol="tcp" port="10178"/>
</service>

Reload firewalld configuration:

[luizyao@centos_7_6_1810 ~]$ sudo firewall-cmd --reload
success

Disable pinging

Add the following rules to the firewall and reload the configuration:

[luizyao@centos_7_6_1810 ~]$ sudo firewall-cmd --permanent --add-icmp-block=echo-reply
[luizyao@centos_7_6_1810 ~]$ sudo firewall-cmd --permanent --add-icmp-block=echo-request
[luizyao@centos_7_6_1810 ~]$ sudo firewall-cmd --reload

Summarize

The above is the method that I introduced to you to create a new user and enable key login in CentOS. I hope it will be helpful to you. If you have any questions, please leave me a message and I will reply to you in time. I would also like to thank everyone for their support of the 123WORDPRESS.COM website!
If you find this article helpful, please feel free to reprint it and please indicate the source. Thank you!