AWS : Adding a SSH User Account on Linux Instance

Each Linux instance type launches with a default Linux system user account. For Amazon Linux, the user name is ec2-user. For RHEL5, the user name is either root or ec2-user. For Ubuntu, the user name is ubuntu. For Fedora, the user name is either fedora or ec2-user while in SUSE Linux, the user name is root.

Using the default user account may be enough for many applications, but most likely, we may choose to add user accounts so that individuals can have their own files and workspaces.

To add a new user to the system, use the adduser command followed by any relevant options and the name of the user we want to create.

ubuntu@ip-172-31-30-88:~$ sudo adduser newuser --disabled-password
Adding user `newuser' ...
Adding new group `newuser' (1010) ...
Adding new user `newuser' (1010) with group `newuser' ...
Creating home directory `/home/newuser' ...
Copying files from `/etc/skel' ...
Changing the user information for newuser
Enter the new value, or press ENTER for the default
	Full Name []: newuser
	Room Number []:
	Work Phone []:
	Home Phone []:
	Other []:
Is the information correct? [Y/n] Y

This command adds the newuser account to the system (with an entry in the /etc/passwd file), creates a newuser group, and creates a home directory for the account in /home/newuser.

Note that we added the --disabled-password option to avoid adding a password to the account.

To provide a remote access to this account, we must create a .ssh directory in the newuser home directory and create a file within it named authorized_keys that contains a public key.

Switch to the new account so that newly created files have the proper ownership:

ubuntu@ip-172-31-30-88:~$ sudo su - newuser
newuser@ip-172-31-30-88:~$

newuser@ip-172-31-30-88:~$ pwd
/home/newuser

Note that the prompt now says newuser instead of ubuntu since we have switched the shell session to the new account.

Create a .ssh directory for the authorized_keys file:

newuser@ip-172-31-30-88:~$ ls -la
total 20
drwxr-xr-x  2 newuser newuser 4096 Jun  2 15:29 .
drwxr-xr-x 13 root    root    4096 Jun  2 15:29 ..
-rw-r--r--  1 newuser newuser  220 Jun  2 15:29 .bash_logout
-rw-r--r--  1 newuser newuser 3521 Jun  2 15:29 .bashrc
-rw-r--r--  1 newuser newuser  675 Jun  2 15:29 .profile
newuser@ip-172-31-30-88:~$
newuser@ip-172-31-30-88:~$ mkdir .ssh
newuser@ip-172-31-30-88:~$ ls -la
total 24
drwxr-xr-x  3 newuser newuser 4096 Jun  2 15:57 .
drwxr-xr-x 13 root    root    4096 Jun  2 15:29 ..
-rw-r--r--  1 newuser newuser  220 Jun  2 15:29 .bash_logout
-rw-r--r--  1 newuser newuser 3521 Jun  2 15:29 .bashrc
-rw-r--r--  1 newuser newuser  675 Jun  2 15:29 .profile
drwxrwxr-x  2 newuser newuser 4096 Jun  2 15:57 .ssh

Change the file permissions of the .ssh directory to 700 (this means only the file owner can read, write, or open the directory). This step is very important; without these exact file permissions, we will not be able to log into this account using SSH:

newuser@ip-172-31-30-88:~$ chmod 700 .ssh
newuser@ip-172-31-30-88:~$ ls -la
total 24
drwxr-xr-x  3 newuser newuser 4096 Jun  2 15:57 .
drwxr-xr-x 13 root    root    4096 Jun  2 15:29 ..
-rw-r--r--  1 newuser newuser  220 Jun  2 15:29 .bash_logout
-rw-r--r--  1 newuser newuser 3521 Jun  2 15:29 .bashrc
-rw-r--r--  1 newuser newuser  675 Jun  2 15:29 .profile
drwx------  2 newuser newuser 4096 Jun  2 15:57 .ssh

Create a file named authorized_keys in the .ssh directory:

newuser@ip-172-31-30-88:~$ cd .ssh

newuser@ip-172-31-30-88:~$ touch authorized_keys

newuser@ip-172-31-30-88:~/.ssh$ ls -la
total 8
drwx------ 2 newuser newuser 4096 Jun  2 16:08 .
drwxr-xr-x 3 newuser newuser 4096 Jun  2 15:57 ..
-rw-rw-r-- 1 newuser newuser    0 Jun  2 16:08 authorized_keys
newuser@ip-172-31-30-88:~/.ssh$

Change the file permissions of the authorized_keys file to 600 (this means only the file owner can read or write to the file). Note that without these exact file permissions, we will not be able to log into this account using SSH:

newuser@ip-172-31-30-88:~/.ssh$ ls -la
total 8
drwx------ 2 newuser newuser 4096 Jun  2 16:08 .
drwxr-xr-x 3 newuser newuser 4096 Jun  2 15:57 ..
-rw-rw-r-- 1 newuser newuser    0 Jun  2 16:08 authorized_keys
 
newuser@ip-172-31-30-88:~/.ssh$ chmod 600 authorized_keys

newuser@ip-172-31-30-88:~/.ssh$ ls -la
total 8
drwx------ 2 newuser newuser 4096 Jun  2 16:08 .
drwxr-xr-x 3 newuser newuser 4096 Jun  2 15:57 ..
-rw------- 1 newuser newuser    0 Jun  2 16:08 authorized_keys

We need to create a key on the machine from which we access to the instance:

$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/Admin/.ssh/id_rsa): 
Created directory '/Users/Admin/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /Users/Admin/.ssh/id_rsa.
Your public key has been saved in /Users/Admin/.ssh/id_rsa.pub.
The key fingerprint is:
67:08:90:99:64:8e:1b:c7:43:bf:d0:38:90:71:30:f2 Admin@Admins-MacBook-Pro-3.local
The key's randomart image is:
+--[ RSA 2048]----+
|. ==*+           |
| o.X+=           |
|  E O +          |
|   + + o .       |
|  .   . S o      |
|         o       |
|                 |
|                 |
|                 |
+-----------------+

On the aws instance, edit the authorized_keys file and paste the public key for our key pair into the file (id_rsa.pub):

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJYId4eoHpmcJJVVnGaIO4lPYaOJjHJR3LV/PcIGp8kUlzo2LCCUxn85WQJjAWkd/UoHbrtMewunL0r4jAW25G5ogA0wv9W9fgWKKFU2NipSaRhbmocQLhY7dpEB+8QHf1SQZxV1q+zFk5lIwM8ENLsJ6J1wK4BQCybqw0GW4yAm6ndxoyOitw0mwm0daroBhpnLP6eK/h/H4GN28LF3XTNSVy0WP3udnrB0sykvMvbC0rG5Yyx4k3N6S5jPao4si2TzA78Ci4oRK7lJScXDjzFdL4Brbktl2SsEhKX8JPKSqtF7rH4eU4M42bmguEb2OopZ1amTSFxrF3+VtE1cSz Admin@Admins-MacBook-Pro-3.local

We should now be able to log into the newuser account on our instance via SSH using the private key that matches the public key:

Admins-MacBook-Pro-3:.ssh Admin$ ssh newuser@172.31.30.88
The authenticity of host '172.31.30.88 (172.31.30.88)' can't be established.
RSA key fingerprint is 74:e5:1e:c9:03:2e:22:5d:69:5f:ae:a2:86:e8:4b:d2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.31.30.88' (RSA) to the list of known hosts.
Welcome to Ubuntu 12.04.5 LTS (GNU/Linux 3.2.0-69-virtual x86_64)
...
New release '14.04.1 LTS' available.
...
newuser@ip-172-31-30-88:~$ 

Now we're logged into AWS instance!

In this case, we used private ip since the aws instance and my laptop are in the same network. If not, we should use public ip-address to ssh to aws.

How do we add a user to the "sudo" group?

First, we need to be a "sudoer". So, exit from the "newuser", and get back to "ubuntu". Then, use usermod command:

$ sudo usermod -aG sudo <username>

The following is from man page for usemod:

1. -a, --append
   Add the user to the supplementary group(s). Use only with the -G option.
2. -G: If the user is currently a member of a group which is not listed, the user will be removed from the group. This behaviour can be changed via the -a option, which appends the user to the current supplementary group list.

Note that we have -a. It is very important because without it the user will be removed from all other groups.

We skipped the password setting, but we can set it now:

$ sudo passwd newuser
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully

We can handle user account using puppet:

1. Puppet Creating and managing user accounts with SSH access
2. Puppet Locking user accounts & deploying sudoers file

AWS (Amazon Web Services)

1. AWS : EKS (Elastic Container Service for Kubernetes)
2. AWS : Creating a snapshot (cloning an image)
3. AWS : Attaching Amazon EBS volume to an instance
4. AWS : Adding swap space to an attached volume via mkswap and swapon
5. AWS : Creating an EC2 instance and attaching Amazon EBS volume to the instance using Python boto module with User data
6. AWS : Creating an instance to a new region by copying an AMI
7. AWS : S3 (Simple Storage Service) 1
8. AWS : S3 (Simple Storage Service) 2 - Creating and Deleting a Bucket
9. AWS : S3 (Simple Storage Service) 3 - Bucket Versioning
10. AWS : S3 (Simple Storage Service) 4 - Uploading a large file
11. AWS : S3 (Simple Storage Service) 5 - Uploading folders/files recursively
12. AWS : S3 (Simple Storage Service) 6 - Bucket Policy for File/Folder View/Download
13. AWS : S3 (Simple Storage Service) 7 - How to Copy or Move Objects from one region to another
14. AWS : S3 (Simple Storage Service) 8 - Archiving S3 Data to Glacier
15. AWS : Creating a CloudFront distribution with an Amazon S3 origin
16. AWS : Creating VPC with CloudFormation
17. AWS : WAF (Web Application Firewall) with preconfigured CloudFormation template and Web ACL for CloudFront distribution
18. AWS : CloudWatch & Logs with Lambda Function / S3
19. AWS : Lambda Serverless Computing with EC2, CloudWatch Alarm, SNS
20. AWS : Lambda and SNS - cross account
21. AWS : CLI (Command Line Interface)
22. AWS : CLI (ECS with ALB & autoscaling)
23. AWS : ECS with cloudformation and json task definition
24. AWS Application Load Balancer (ALB) and ECS with Flask app
25. AWS : Load Balancing with HAProxy (High Availability Proxy)
26. AWS : VirtualBox on EC2
27. AWS : NTP setup on EC2
28. AWS: jq with AWS
29. AWS & OpenSSL : Creating / Installing a Server SSL Certificate
30. AWS : OpenVPN Access Server 2 Install
31. AWS : VPC (Virtual Private Cloud) 1 - netmask, subnets, default gateway, and CIDR
32. AWS : VPC (Virtual Private Cloud) 2 - VPC Wizard
33. AWS : VPC (Virtual Private Cloud) 3 - VPC Wizard with NAT
34. DevOps / Sys Admin Q & A (VI) - AWS VPC setup (public/private subnets with NAT)
35. AWS - OpenVPN Protocols : PPTP, L2TP/IPsec, and OpenVPN
36. AWS : Autoscaling group (ASG)
37. AWS : Setting up Autoscaling Alarms and Notifications via CLI and Cloudformation
38. AWS : Adding a SSH User Account on Linux Instance
39. AWS : Windows Servers - Remote Desktop Connections using RDP
40. AWS : Scheduled stopping and starting an instance - python & cron
41. AWS : Detecting stopped instance and sending an alert email using Mandrill smtp
42. AWS : Elastic Beanstalk with NodeJS
43. AWS : Elastic Beanstalk Inplace/Rolling Blue/Green Deploy
44. AWS : Identity and Access Management (IAM) Roles for Amazon EC2
45. AWS : Identity and Access Management (IAM) Policies, sts AssumeRole, and delegate access across AWS accounts
46. AWS : Identity and Access Management (IAM) sts assume role via aws cli2
47. AWS : Creating IAM Roles and associating them with EC2 Instances in CloudFormation
48. AWS Identity and Access Management (IAM) Roles, SSO(Single Sign On), SAML(Security Assertion Markup Language), IdP(identity provider), STS(Security Token Service), and ADFS(Active Directory Federation Services)
49. AWS : Amazon Route 53
50. AWS : Amazon Route 53 - DNS (Domain Name Server) setup
51. AWS : Amazon Route 53 - subdomain setup and virtual host on Nginx
52. AWS Amazon Route 53 : Private Hosted Zone
53. AWS : SNS (Simple Notification Service) example with ELB and CloudWatch
54. AWS : Lambda with AWS CloudTrail
55. AWS : SQS (Simple Queue Service) with NodeJS and AWS SDK
56. AWS : Redshift data warehouse
57. AWS : CloudFormation
58. AWS : CloudFormation Bootstrap UserData/Metadata
59. AWS : CloudFormation - Creating an ASG with rolling update
60. AWS : Cloudformation Cross-stack reference
61. AWS : OpsWorks
62. AWS : Network Load Balancer (NLB) with Autoscaling group (ASG)
63. AWS CodeDeploy : Deploy an Application from GitHub
64. AWS EC2 Container Service (ECS)
65. AWS EC2 Container Service (ECS) II
66. AWS Hello World Lambda Function
67. AWS Lambda Function Q & A
68. AWS Node.js Lambda Function & API Gateway
69. AWS API Gateway endpoint invoking Lambda function
70. AWS API Gateway invoking Lambda function with Terraform
71. AWS API Gateway invoking Lambda function with Terraform - Lambda Container
72. Amazon Kinesis Streams
73. AWS: Kinesis Data Firehose with Lambda and ElasticSearch
74. Amazon DynamoDB
75. Amazon DynamoDB with Lambda and CloudWatch
76. Loading DynamoDB stream to AWS Elasticsearch service with Lambda
77. Amazon ML (Machine Learning)
78. Simple Systems Manager (SSM)
79. AWS : RDS Connecting to a DB Instance Running the SQL Server Database Engine
80. AWS : RDS Importing and Exporting SQL Server Data
81. AWS : RDS PostgreSQL & pgAdmin III
82. AWS : RDS PostgreSQL 2 - Creating/Deleting a Table
83. AWS : MySQL Replication : Master-slave
84. AWS : MySQL backup & restore
85. AWS RDS : Cross-Region Read Replicas for MySQL and Snapshots for PostgreSQL
86. AWS : Restoring Postgres on EC2 instance from S3 backup
87. AWS : Q & A
88. AWS : Security
89. AWS : Security groups vs. network ACLs
90. AWS : Scaling-Up
91. AWS : Networking
92. AWS : Single Sign-on (SSO) with Okta
93. AWS : JIT (Just-in-Time) with Okta