Linux

Set up user accounts quickly and securely


When you need to set up a user account to give a user shell access to the system, the only logical choice of login tool is OpenSSH. With SSH keys, all you need from the user is his SSH public key, and all he needs from you is the IP address or hostname with which to log in. Usually, this is sufficient.

In some cases, the user may need to know what his own password is. If he needs to use Sudo, he will need to authenticate with a password. Ideally, this information would be given via phone or encrypted e-mail, but more often than not, the password itself is handed out via plain-text e-mail.

The ideal situation would be to create the user account, obtain the user's public SSH key (which can be sent unencrypted as it does an attacker no good in and of itself), and generate a random password for the user to change once he logs into the system. This is all easily accomplished.

For the user, this is very easy. To create the private/public keypair, simply execute:

$ ssh-keygen -t dsa

You would then have him send the ~/.ssh/id_dsa.pub file. Server-side, things become more interesting, but certainly not difficult. First, you create the user account:

# useradd -c "Joe User" -s /bin/bash -m joe
# openssl rand -base64 6 | tee -a ~joe/.password | passwd -stdin joe

This will create the user joe, assign it a random password, and store the same password in ~joe/.password, where joe will be able to see it.

If you lock down accounts via /etc/ssh/sshd_config, remember to allow joe access to the system by adding:

AllowUsers joe

Also, ensure that PasswordAuthentication is set to no as well, to force all logins to use public keys.

Finally, be sure to copy the id_dsa.pub key to the user's home directory and give appropriate ownership and permissions:

# mkdir ~joe/.ssh
# chmod 700 ~joe/.ssh
# cp id_dsa.pub ~joe/.ssh/authorized_keys
# chmod 600 ~joe/.ssh/authorized_keys
# chown -R joe:joe ~joe/.ssh

And that's all there is to it. Now the user can log in using his SSH private key and can access Sudo or whatever else may require an actual system password for authentication.

Delivered each Tuesday, TechRepublic's free Linux NetNote provides tips, articles, and other resources to help you hone your Linux skills. Automatically sign up today!

About

Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.

2 comments
rlaska
rlaska

If you are going to use a plain-text file to store the user's password, please make sure no one else can read it *Before* creating the .password file, run this: touch ~joe/.password chown joe ~joe/.password chmod 600 ~joe/.password For even more security, have the user securely delete the file once he has read it: cat ~/.passwd (memorize it, change it, or put it in a secure place) shred -u ~/.passwd

vdanen
vdanen

dOh! Good point. I should have mentioned that. I'm so used to having a umask of 026 (so mode 640 perms) that I didn't even think that most distros use 022 (or 644) perms. Yes, creating and chmoding the file *before* putting anything into is important, although I would do the chmod prior to the chown for added paranoia. Or, better yet, do something like: passwd=`mktemp jXXXXXX` && mv $passwd .password && chown joe:joe .password Using mktemp will ensure no one is currently "listening" to the file and setup the proper permissions (600) right from the start.