Of Stack

CentOS New User and Key Logon Enabled Method

  • 2021-06-28 09:54:07
  • OfStack

CentOS only has one root user by default, but the root user has too much privileges and is not conducive to multi-user collaboration. For rights management and security reasons, we create a new user for the system, enable it to log on to SSH, and prohibit root users from logging on.

Be based on CentOS Linux release 7.6.1810 (Core) Practice;

New user

In CentOS, adduser and useradd There is no difference: 


[root@centos_7_6_1810 ~]# ll /usr/sbin/ | grep user
lrwxrwxrwx 1 root root   7 Jun 24 10:14 adduser -> useradd
-rwxr-xr-x. 1 root root  33104 Aug 3 2017 fuser
-rwxr-xr-x. 1 root root  15832 Apr 13 2018 lnewusers
-rwxr-xr-x. 1 root root  15752 Apr 13 2018 luseradd
-rwxr-xr-x. 1 root root  11576 Apr 13 2018 luserdel
-rwxr-xr-x. 1 root root  19896 Apr 13 2018 lusermod
-rwxr-xr-x 1 root root  76232 Mar 14 2019 newusers
-rwxr-xr-x 1 root root  33072 Mar 14 2019 runuser
-rwxr-xr-x. 1 root root  19720 Apr 11 2018 sasldblistusers2
-rwxr-x--- 1 root root  118224 Mar 14 2019 useradd
-rwxr-x--- 1 root root  80400 Mar 14 2019 userdel
-rwxr-x--- 1 root root  113856 Mar 14 2019 usermod
-rwsr-xr-x. 1 root root  11376 Oct 31 2018 usernetctl

You can see from the command above: adduser nothing but useradd 1 soft connection of the command;

For soft connections, you can temporarily think of it as a shortcut in the Windows system;

Use useradd Command to create a new user: 


[root@centos_7_6_1810 ~]# useradd luizyao
[root@centos_7_6_1810 ~]# ls /home/
luizyao

In most Linux releases, useradd Commands will not /home/ Create the corresponding user directory, if you want to create it, you need to add it in the command -m (--create-home) Options;However, CentOS will automatically create this user directory for us;

If we want to log on to the system with this user name, we must set a password for it: 


[root@centos_7_6_1810 ~]# passwd luizyao
Changing password for user luizyao.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

Then we can use this user to log in to the system: 


[luizyao@centos_7_6_1810 ~]$ whoami
luizyao

Authorize new users

Normally, new users have full permissions under their own user directory (/home/luizyao/), and other directories require authorization from others.And what we use most often is the privileges of root users, when sudo Commands help us: they allow trusted users to execute commands as other users, using the root user by default;

The new user is not on the trust list, so we cannot borrow the root user identity to execute the command:

Note: At this time, login to the system as a new user; 


[luizyao@centos_7_6_1810 /]$ sudo whoami
[sudo] password for luizyao:
luizyao is not in the sudoers file. This incident will be reported.

In CentOS, we have two ways to add new users to the Sudoers list:

Note: At this time, login to the system as root;

Method 1: Add a new user to the adduser0 In User Group

RedHat-based distribution systems, such as CentOS and Fedora, user groups adduser0 sudo has been granted permission;So we can add new users to the adduser0 In the user group, to get the rights of sudo: 


[root@centos_7_6_1810 ~]# groups luizyao
luizyao : luizyao
[root@centos_7_6_1810 ~]# usermod -aG wheel luizyao
[root@centos_7_6_1810 ~]# groups luizyao
luizyao : luizyao wheel

We pass the usermod Command to add a new user to adduser0 In a user group, you can use groups Command to view the user groups to which the user belongs;

At this point, the new user can execute the command with the privilege of root: 


[luizyao@centos_7_6_1810 root]$ sudo whoami
[sudo] password for luizyao:
root

Be careful:

In this way, execute sudo The command needs to enter the new user's password because this is adduser0 The default configuration for the user group is as follows: 


# /etc/sudoers

106 ## Allows people in group wheel to run all commands
107 %wheel ALL=(ALL)  ALL
108
109 ## Same thing without a password
110 # %wheel  ALL=(ALL)  NOPASSWD: ALL

Delete a user from a user group.You can use the following commands: 


[root@centos_7_6_1810 ~]# gpasswd -d luizyao wheel
Removing user luizyao from group wheel
[root@centos_7_6_1810 ~]# groups luizyao
luizyao : luizyao

Method 2: Add a new user to the sudoers List

stay /etc/sudoers In the file, you can configure sudo permissions for users and groups, which is a more flexible way to do this.Also, there are two ways to configure permissions for new users:

1. You can go directly to the /etc/sudoers Configure new user permissions in the file, but be aware that the default permissions for this file are read-only, so you need to add write permissions first, edit them, and then revert to read-only.

Please use visodu Command Modification /etc/sudoers File because it will help you check for grammatical errors;

2. You can also /etc/sudoers.d In the directory, add a special profile for new users (recommended): 


bash [root@centos_7_6_1810 ~]# echo "luizyao ALL=(ALL) NOPASSWD:ALL" | tee /etc/sudoers.d/luizyao luizyao ALL=(ALL) NOPASSWD:ALL [root@centos_7_6_1810 ~]# ll /etc/sudoers.d/luizyao -rw-r--r-- 1 root root 32 Sep 17 17:51 /etc/sudoers.d/luizyao

The above command indicates that luizyao can execute any command (the third ALL) on any host (the first ALL) as any user (the second ALL, which defaults to root) without a password: 


[root@centos_7_6_1810 ~]# useradd luizyao
[root@centos_7_6_1810 ~]# ls /home/
luizyao
0

Note: File names can be arbitrary, but typically we configure them as user names;

New user enables SSH key login

At this time, log in to the system as the new user;

Create key pairs: 


[root@centos_7_6_1810 ~]# useradd luizyao
[root@centos_7_6_1810 ~]# ls /home/
luizyao
1

Download the private key locally:

Practice based on Mac OS;

Use scp Command to download private key: 


[root@centos_7_6_1810 ~]# useradd luizyao
[root@centos_7_6_1810 ~]# ls /home/
luizyao
2

At this point, we still need a password to log in: 


yaomengdeMacBook-Air:~ yaomeng$ ssh luizyao@<ip  address >
Enter passphrase for key "/Users/yaomeng/.ssh/id_ecdsa": #  Enter private key password, login failed 
luizyao@www.luizyao.com password: # luizyao  User password 
Last login: Tue Sep 17 22:50:22 2019

SSH Secret Login

Rename public key to authorized_keys: 


[root@centos_7_6_1810 ~]# useradd luizyao
[root@centos_7_6_1810 ~]# ls /home/
luizyao
4

Be careful:

Because I didn't have authorized_beforekeys file, so I rename it directly here;If authorized_already exists beforekeys file, you can use the following commands to add the public key to the end of the file: 


[root@centos_7_6_1810 ~]# useradd luizyao
[root@centos_7_6_1810 ~]# ls /home/
luizyao
5

Notice authorized_The keys file, ~/.ssh/directory, or the user's home directory (/home/luizyao/) gives other users write permission, then sshd Determine that this file is no longer secure and will not be used unless you have set StrictModes to no;

You can pass man sshd Command to view help documentation: 


[root@centos_7_6_1810 ~]# useradd luizyao
[root@centos_7_6_1810 ~]# ls /home/
luizyao
6

At this point, we can use SSH Secret Login: 


[root@centos_7_6_1810 ~]# useradd luizyao
[root@centos_7_6_1810 ~]# ls /home/
luizyao
7

To enable SSH password login

Now, we can still log on with a password, which is still not safe. Now let's stop using a password to log on to the system.

For the CentOS system, only the SSH configuration file needs to be modified /etc/ssh/sshd_config In PasswordAuthentication by no ;

Restart the SSH service again: 


[luizyao@centos_7_6_1810 ~]$ sudo systemctl restart sshd

We have disabled SSH's password login and can only use the key to login.

Other

In order to improve the security of the system in one step, there are still a few things we can do:

Prohibit root users from logging in using SSH

Simply modify the SSH configuration file /etc/ssh/sshd_config In adduser1 by no , restart the SSH service;

Use unconventional SSH port

The default SSH port is 22, and we can modify it to something less common: modify the SSH configuration file /etc/ssh/sshd_config In Port Value (for example, 10178) and restart the SSH service;

We also need to modify the configuration of sshd in the firewall. CentOS 7 uses the firewalld firewall by default, and we configure it as follows:

Copy the default firewalld configuration file about ssh into the system configuration folder: 


[root@centos_7_6_1810 ~]# useradd luizyao
[root@centos_7_6_1810 ~]# ls /home/
luizyao
9

Modify the port configuration in the configuration file: 


<!-- /etc/firewalld/services/ -->

<?xml version="1.0" encoding="utf-8"?>
<service>
 <short>SSH</short>
 <description>Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.</description>
 <port protocol="tcp" port="10178"/>
</service>

Overloaded firewalld configuration: 


[luizyao@centos_7_6_1810 ~]$ sudo firewall-cmd --reload
success

Prohibit ping

Add the following rules to your firewall and overload the configuration:


[luizyao@centos_7_6_1810 ~]$ sudo firewall-cmd --permanent --add-icmp-block=echo-reply
[luizyao@centos_7_6_1810 ~]$ sudo firewall-cmd --permanent --add-icmp-block=echo-request
[luizyao@centos_7_6_1810 ~]$ sudo firewall-cmd --reload

summary

Related articles: