Adding Additional User Accounts to a VM

This document provides instructions and commands to add additional user accounts to existing cloud VMs, steps are provided for each supported operating system.

Prerequisites

sudo level access to the machines you wish to add the new users to.
The username of each user you wish to add.
1. For STFC users we recommend using their Fed ID (STFC Username) for consistency.
The corresponding SSH Public Key for each user.

We do not recommend setting passwords for added users and as such the following instructions only provide steps to allow additional users to authenticate using SSH Key based authentication.

Rocky Linux

See Rocky 9 entry below.

For each user, do the following:

For scripting purposes, you can use the useradd command which is non-interactive:-

sudo useradd -m <username> -g wheel

Next, create a directory where the user’s ssh public key will reside (if this doesn’t make sense to you search for “generating ssh keys” - either on this portal or on the internet.)

To create the directory, use the command:-

mkdir -m 0700 /home/$user/.ssh

..where $user is the username you added earlier.

Now add the ssh key to the “authorized_keys” file, in the /home/<user name>/.ssh folder:-

echo $sshkey | tee /home/$user/.ssh/authorized_keys > /dev/null

..where $sshkey is the users’s public ssh key. You can use a command like:-

sshkey=`cat my_ssh_key.pub`

…and subsequent commands can use the variable $sshkey, so you can use the command “echo $sshkey” to see the contents of sshkey you defined. (you can do the same for “user” as well.)

You then need to set the ownership and permissions of the ssh keys and folder (This is important !: the ssh server is very picky about this being correct):-

sudo chown -R $user:wheel /home/$user/.ssh
chmod 0600 /home/$user/.ssh/authorized_keys

Note that by adding the user to the group “wheel” - the user can automatically use the “sudo” command. This means you don't have to add the user to the file /etc/sudoers.d/cloud file (which you should always check has no errors in it by running “visudo -c” to check it - especially if you edit that file).

You shoud then be able to ssh into the VM using a command such as:-

ssh -i ./my_ssh_key.priv -l <username> <IP address of VM>

..where the -i points to where your private key is (assuming a command line ssh client rather than putty). the -l (letter L in lower case) is for username and the IP address is the IP address of the Virtual machine yo wish to connect to.

To debug any ssh login issues, it is suggested that you have another user account watching the /var/log/secure logs with a comand like:-

sudo tail -f /var/log/secure

Which will show you incoming ssh client connections, the authentication method used and if it was successful.

Ubuntu

For each user, do the following:

First you create the user account using the adduser command. Note that this command will prompt you for some additional details.

sudo adduser <username> --disabled-password

You then want to set up the user’s SSH authorized keys file and add their SSH public key to it using an editor of your choice. Please note that key formatting is very important, several examples of acceptable key types and formats are provided below.

sudo mkdir /home/<username>/.ssh
sudo touch /home/<username>/.ssh/authorized_keys

sudo vim /home/<username>/.ssh/authorized_keys

sudo chown -R <username>:<username> /home/<fed-id>/.ssh
sudo chmod -R 0700 /home/<username>/.ssh

Your user should now be able to log in to your machine with their SSH public key using the following command.

ssh <username>@<ip address>

If you also want the newly added user to have sudo permissions then you need to edit the /etc/sudoers.d/cloud file using the following command.

sudo visudo /etc/sudoers.d/cloud

Adding the following line to the bottom. Note that because we do not set a password for the user, the NOPASSWD option is necessary.

<username> ALL=(ALL) NOPASSWD: ALL

Example Public Keys

The following keys are all examples used to demonstrate acceptable formatting of public keys in authorized keys files.

# RSA-2048
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDdIsfXr82WFXNfw+RfECqitp/5wPeR670TO8gj/F7ypRPi80wLRKBF85LVN9T/E0b0+Ur6E1sMRWI9xAnxW2O1uSZ4f1TqlzbL4jqmbQuGRNIKroyOtHwmHiLca5fbwLRyXLXXyjSOp//8QMzM8SaslavAv8sGPvrGMtceytGIpVi90OrArFJYfDbUOs7mqfNATYBcMl2Ql/cnnHPrHiRU9VCMc05cjymoy9DHZN5Enfnew+Q/NBODpQd8yvQV2EJj3mduKJc3MGj/xR8ODux0hI3iPUM9DRHxEYl3+RzQV3xXHRycv3tJzvDIgtCYT3cp/scXKiecmMh6Kprq+JH rsa-key-20240816

# ECDSA (nistp384)
ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBE60HgYZDYWngeNi88Ymy0TVhYQsTJ7SvKT6XFeun5tIfUJ1jssy7yZVygZguK9ci9ojdP5s70XDjoOdM0C0wdqyC3KX/dRz6iwrwadT4IqZZOsNJrddKJBxsqZ3TNTqKA== ecdsa-key-20240816

# EdDSA (Ed25519)
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJx6CptzpgLxJwvHXa1OAh2CzyaDHw0esi7ZuWKK9quy eddsa-key-20240816