CentOS New User and Key Logon Enabled Method
- 2021-06-28 09:54:07
- OfStack
CentOS only has one root user by default, but the root user has too much privileges and is not conducive to multi-user collaboration. For rights management and security reasons, we create a new user for the system, enable it to log on to SSH, and prohibit root users from logging on.
Be based on
CentOS Linux release 7.6.1810 (Core)
Practice;
New user
In CentOS,
adduser
and
useradd
There is no difference:
[root@centos_7_6_1810 ~]# ll /usr/sbin/ | grep user
lrwxrwxrwx 1 root root 7 Jun 24 10:14 adduser -> useradd
-rwxr-xr-x. 1 root root 33104 Aug 3 2017 fuser
-rwxr-xr-x. 1 root root 15832 Apr 13 2018 lnewusers
-rwxr-xr-x. 1 root root 15752 Apr 13 2018 luseradd
-rwxr-xr-x. 1 root root 11576 Apr 13 2018 luserdel
-rwxr-xr-x. 1 root root 19896 Apr 13 2018 lusermod
-rwxr-xr-x 1 root root 76232 Mar 14 2019 newusers
-rwxr-xr-x 1 root root 33072 Mar 14 2019 runuser
-rwxr-xr-x. 1 root root 19720 Apr 11 2018 sasldblistusers2
-rwxr-x--- 1 root root 118224 Mar 14 2019 useradd
-rwxr-x--- 1 root root 80400 Mar 14 2019 userdel
-rwxr-x--- 1 root root 113856 Mar 14 2019 usermod
-rwsr-xr-x. 1 root root 11376 Oct 31 2018 usernetctl
You can see from the command above:
adduser
nothing but
useradd
1 soft connection of the command;
For soft connections, you can temporarily think of it as a shortcut in the Windows system;
Use
useradd
Command to create a new user:
[root@centos_7_6_1810 ~]# useradd luizyao
[root@centos_7_6_1810 ~]# ls /home/
luizyao
In most Linux releases,
useradd
Commands will not
/home/
Create the corresponding user directory, if you want to create it, you need to add it in the command
-m (--create-home)
Options;However, CentOS will automatically create this user directory for us;
If we want to log on to the system with this user name, we must set a password for it:
[root@centos_7_6_1810 ~]# passwd luizyao
Changing password for user luizyao.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
Then we can use this user to log in to the system:
[luizyao@centos_7_6_1810 ~]$ whoami
luizyao
Authorize new users
Normally, new users have full permissions under their own user directory (/home/luizyao/), and other directories require authorization from others.And what we use most often is the privileges of root users, when
sudo
Commands help us: they allow trusted users to execute commands as other users, using the root user by default;
The new user is not on the trust list, so we cannot borrow the root user identity to execute the command:
Note: At this time, login to the system as a new user;
[luizyao@centos_7_6_1810 /]$ sudo whoami
[sudo] password for luizyao:
luizyao is not in the sudoers file. This incident will be reported.
In CentOS, we have two ways to add new users to the Sudoers list:
Note: At this time, login to the system as root;
Method 1: Add a new user to the
adduser
0
In User Group
RedHat-based distribution systems, such as CentOS and Fedora, user groups
adduser
0
sudo has been granted permission;So we can add new users to the
adduser
0
In the user group, to get the rights of sudo:
[root@centos_7_6_1810 ~]# groups luizyao
luizyao : luizyao
[root@centos_7_6_1810 ~]# usermod -aG wheel luizyao
[root@centos_7_6_1810 ~]# groups luizyao
luizyao : luizyao wheel
We pass the
usermod
Command to add a new user to
adduser
0
In a user group, you can use
groups
Command to view the user groups to which the user belongs;
At this point, the new user can execute the command with the privilege of root:
[luizyao@centos_7_6_1810 root]$ sudo whoami
[sudo] password for luizyao:
root
Be careful:
In this way, execute
sudo
The command needs to enter the new user's password because this is
adduser
0
The default configuration for the user group is as follows:
# /etc/sudoers
106 ## Allows people in group wheel to run all commands
107 %wheel ALL=(ALL) ALL
108
109 ## Same thing without a password
110 # %wheel ALL=(ALL) NOPASSWD: ALL
Delete a user from a user group.You can use the following commands:
[root@centos_7_6_1810 ~]# gpasswd -d luizyao wheel
Removing user luizyao from group wheel
[root@centos_7_6_1810 ~]# groups luizyao
luizyao : luizyao
Method 2: Add a new user to the
sudoers
List
stay
/etc/sudoers
In the file, you can configure sudo permissions for users and groups, which is a more flexible way to do this.Also, there are two ways to configure permissions for new users:
1. You can go directly to the
/etc/sudoers
Configure new user permissions in the file, but be aware that the default permissions for this file are read-only, so you need to add write permissions first, edit them, and then revert to read-only.
Please use
visodu
Command Modification
/etc/sudoers
File because it will help you check for grammatical errors;
2. You can also
/etc/sudoers.d
In the directory, add a special profile for new users (recommended):
bash [root@centos_7_6_1810 ~]# echo "luizyao ALL=(ALL) NOPASSWD:ALL" | tee /etc/sudoers.d/luizyao luizyao ALL=(ALL) NOPASSWD:ALL [root@centos_7_6_1810 ~]# ll /etc/sudoers.d/luizyao -rw-r--r-- 1 root root 32 Sep 17 17:51 /etc/sudoers.d/luizyao
The above command indicates that luizyao can execute any command (the third ALL) on any host (the first ALL) as any user (the second ALL, which defaults to root) without a password:
[root@centos_7_6_1810 ~]# useradd luizyao
[root@centos_7_6_1810 ~]# ls /home/
luizyao
0
Note: File names can be arbitrary, but typically we configure them as user names;
New user enables SSH key login
At this time, log in to the system as the new user;
Create key pairs:
[root@centos_7_6_1810 ~]# useradd luizyao
[root@centos_7_6_1810 ~]# ls /home/
luizyao
1
Download the private key locally:
Practice based on Mac OS;
Use
scp
Command to download private key:
[root@centos_7_6_1810 ~]# useradd luizyao
[root@centos_7_6_1810 ~]# ls /home/
luizyao
2
At this point, we still need a password to log in:
yaomengdeMacBook-Air:~ yaomeng$ ssh luizyao@<ip address >
Enter passphrase for key "/Users/yaomeng/.ssh/id_ecdsa": # Enter private key password, login failed
luizyao@www.luizyao.com password: # luizyao User password
Last login: Tue Sep 17 22:50:22 2019
SSH Secret Login
Rename public key to authorized_keys:
[root@centos_7_6_1810 ~]# useradd luizyao
[root@centos_7_6_1810 ~]# ls /home/
luizyao
4
Be careful:
Because I didn't have authorized_beforekeys file, so I rename it directly here;If authorized_already exists beforekeys file, you can use the following commands to add the public key to the end of the file:
[root@centos_7_6_1810 ~]# useradd luizyao
[root@centos_7_6_1810 ~]# ls /home/
luizyao
5
Notice authorized_The keys file, ~/.ssh/directory, or the user's home directory (/home/luizyao/) gives other users write permission, then
sshd
Determine that this file is no longer secure and will not be used unless you have set StrictModes to no;
You can pass
man sshd
Command to view help documentation:
[root@centos_7_6_1810 ~]# useradd luizyao
[root@centos_7_6_1810 ~]# ls /home/
luizyao
6
At this point, we can use SSH Secret Login:
[root@centos_7_6_1810 ~]# useradd luizyao
[root@centos_7_6_1810 ~]# ls /home/
luizyao
7
To enable SSH password login
Now, we can still log on with a password, which is still not safe. Now let's stop using a password to log on to the system.
For the CentOS system, only the SSH configuration file needs to be modified
/etc/ssh/sshd_config
In
PasswordAuthentication
by
no
;
Restart the SSH service again:
[luizyao@centos_7_6_1810 ~]$ sudo systemctl restart sshd
We have disabled SSH's password login and can only use the key to login.
Other
In order to improve the security of the system in one step, there are still a few things we can do:
Prohibit root users from logging in using SSH
Simply modify the SSH configuration file
/etc/ssh/sshd_config
In
adduser
1
by
no
, restart the SSH service;
Use unconventional SSH port
The default SSH port is 22, and we can modify it to something less common: modify the SSH configuration file
/etc/ssh/sshd_config
In
Port
Value (for example, 10178) and restart the SSH service;
We also need to modify the configuration of sshd in the firewall. CentOS 7 uses the firewalld firewall by default, and we configure it as follows:
Copy the default firewalld configuration file about ssh into the system configuration folder:
[root@centos_7_6_1810 ~]# useradd luizyao
[root@centos_7_6_1810 ~]# ls /home/
luizyao
9
Modify the port configuration in the configuration file:
<!-- /etc/firewalld/services/ -->
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>SSH</short>
<description>Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.</description>
<port protocol="tcp" port="10178"/>
</service>
Overloaded firewalld configuration:
[luizyao@centos_7_6_1810 ~]$ sudo firewall-cmd --reload
success
Prohibit ping
Add the following rules to your firewall and overload the configuration:
[luizyao@centos_7_6_1810 ~]$ sudo firewall-cmd --permanent --add-icmp-block=echo-reply
[luizyao@centos_7_6_1810 ~]$ sudo firewall-cmd --permanent --add-icmp-block=echo-request
[luizyao@centos_7_6_1810 ~]$ sudo firewall-cmd --reload
summary