DEV Community

Cover image for Creating users with SSH access only in Linux
Pablo Lagos
Pablo Lagos

Posted on

Creating users with SSH access only in Linux

If we’re managing a Linux server and looking to enhance its security, a great step we can take is to create user accounts that can only log in using SSH keys, rather than relying on passwords.

This approach helps us protect against brute-force attacks and unauthorized access attempts that target weak or compromised passwords.

In this guide, we'll walk through the steps to create a new user with a home directory, and configure our server to allow login for this user exclusively through SSH key-based authentication.

By doing so, we’ll establish a more secure and reliable access method for our server.

1. Create the User with a Home Directory

Run the following command to create the user general with a home directory:

sudo useradd -m -s /bin/bash <username>
Enter fullscreen mode Exit fullscreen mode

-m: Creates the home directory (/home/general).
-s /bin/bash: Sets /bin/bash as the default login shell for the user.

2. Configure SSH Key-Only Login

To disable password login and allow only SSH key-based access, follow these steps:

1. Lock the user's password to prevent password login:

sudo passwd -l <username>
Enter fullscreen mode Exit fullscreen mode

This command locks the account for password-based login.

2. Set up SSH keys for the user:

  • Switch to the new user:
 sudo su - <username>
Enter fullscreen mode Exit fullscreen mode
  • Create the .ssh directory in the user's home directory and set the correct permissions:
mkdir -p ~/.ssh
chmod 700 ~/.ssh
Enter fullscreen mode Exit fullscreen mode
  • Create or copy the authorized_keys file with the allowed public SSH key and set the correct permissions:
touch ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
Enter fullscreen mode Exit fullscreen mode
  • Paste the public SSH key (e.g., id_rsa.pub) into the ~/.ssh/authorized_keys file.

  • Exit the general user:

exit
Enter fullscreen mode Exit fullscreen mode

3. Verify SSH Configuration

Edit the SSH configuration file to ensure that SSH key authentication is allowed:

sudo nano /etc/ssh/sshd_config
Enter fullscreen mode Exit fullscreen mode

Make sure you have the following settings:

PubkeyAuthentication yes
Enter fullscreen mode Exit fullscreen mode

If the setting is commented #PubkeyAuthentication yes, it will work correctly, as the default value for PubkeyAuthentication is yes

If the PubkeyAuthentication was changed, save the changes and restart the SSH service:

sudo systemctl restart sshd
Enter fullscreen mode Exit fullscreen mode

4. Test SSH Access

Now, try logging in with the new created user via SSH:

ssh <username>@server-ip -i path/to/private/key
Enter fullscreen mode Exit fullscreen mode

You should only be able to log in if you have the private key corresponding to the public key set up in ~/.ssh/authorized_keys.

This completes the setup for the user to authenticate exclusively via SSH key!

Top comments (0)