You will need super user or root privileges to add a new user to the Ubuntu server.

Follow these steps to create the new user account:

In Linux systems, the adduser command is higher level command to quickly add a new user to the system. Since adduser requires root privileges, we need to use sudo along with the command, adduser completes following operations:

If you want to skip the password prompt and finger information while adding the new user, use the following command:

$ sudo adduser --disabled-password --gecos "" username

Alternatively, you can use the useradd command as follows:

$ sudo useradd -s <SHELL> -m -d <HomeDir> -g <Group> UserName

Where:

Creating a user with the command useradd does not set password for the user account. You can set or change the user password with the following command:

$sudo passwd bob

This will change the password for the user account bob.

With adduser, you can do five different tasks:

Check out the manual page man adduser to get more details.

You can also configure various default settings for the adduser command. A configuration file /etc/adduser.conf can be used to set the default values to be used by the adduser, addgroup, and deluser commands. A key value pair of configuration can set various default values, including the home directory location, directory structure skel to be used, default groups for new users, and so on. Check the manual page for more details on adduser.conf with following command:

$ man adduser.conf

You will need a user account with root or root privileges.

Follow these steps to create a user account in batch mode:

We created a database of user details listed in same format as the passwd file. The default format for each row is as follows:

username:passwd:uid:gid:full name:home_dir:shell

Where:

The new user command reads each row and updates the user information if the user already exists, or it creates a new user.

We made the users.txt file accessible to owner only. This is to protect this file, as it contains the user's login name and password in unencrypted format.

You will need super user or root privileges to add a group to the Ubuntu server.

Follow these steps to create a group:

Here, we are simply adding a new group guest to the server. As addgroup needs root privileges, we need to use sudo along with the command. After creating a new group, addgroup displays the GID of the new group.

Similar to adduser, you can use addgroup in different modes:

Check out the manual page for the addgroup(man addgroup) to get more details.

You will need super user or root privileges to add a group member to the Ubuntu server.

Follow these steps to add group members:

As mentioned previously, you can use the adduser command to add an existing user to an existing group. Here, we have passed two non-option arguments:

Alternatively, you can use the command usermod to modify the group assigned to the user:

$ sudo usermod -g <group> <username>

To add a user to multiple groups, use the following command:

$ sudo usermod -a -G <group1>,<group2>,<group3> <username>

This will add <username> to <group1>, <group2>, and <group3>. Without flag –a, any previously assigned groups will be replaced with new groups.

You will need super user or root privileges to delete a group from the Ubuntu server.

Follow these steps to delete the user account:

Here, we used the deluser command with the option --remove-home. This will delete the user account named john and also remove the home and mail spool directories associated with john. By default, the deluser command will delete the user without deleting the home directory.

It is a good idea to keep a backup of user files before removing the home directory and any other files. This can be done with an additional flag along with the deluser command:

$ deluser --backup --remove-home john

This will create a backup file with the name john.tar.gz in the current working directory, and then the user account and the home directory will removed.

When called with the --group option, the deluser command will remove the group. Similarly, when called with two non-option arguments, the deluser command will try to remove a user from a specific group:

$ deluser john guest # this will remove user john from group guest
$ deluser --group guest # this will remove a group

If you want to disable the user account rather than delete it, you can do it with the following commands:

$ sudo usermod --expiredate 1 john # disable the user account john
$ sudo usermod --expiredate "" john # re-enable user account john
$ sudo usermod -e YYYY-MM-DD john # specify expiry date

Create two users, user1 and user2. Create new group editor and add user1 and user2 as members.

Follow these steps to manage file permissions, follow these steps:

When you create a new file or directory in Ubuntu, the default permissions for files are read and write access to owner and owner's private group, along with read, write, and execute access for directories. You can check the default setting with umask -S.

In our example, we have user1 and user2. Both of them are members of the editor group. When user1 creates a file, the default permissions are limited to user1 and its private group (user1) named after the user account. This is the reason user2 sees Permission denied on editing file. By changing the group of documents to editor we allow all members of editor to read and write to files in documents.

With the chmod command, we can set permissions at a more granular level. In our example of hello.sh, we have set the executable permission for hello.sh. Similarly, we can set read permission as follows:

$chmod +r filename

To set write permission, use the following command:

$chmod +w filename

You can set more selective permissions with additional parameters before mode expression as follows:

$chmod ugo+x filename

Here, u sets the permission for user, g for group, and o for all others.

To remove permissions, replace + with -. For example, $chmod o-w filename. Alternatively, you can use the Octal format to specify permissions:

$chmod 777 filename

This gives read, write, and execute permission to user group and others, whereas the command $chmod 600 filename gives set, read, and write permissions for owner and no permission to groups and others. In Octal format [777], the first bit is used for the user or owner of the file, the second bit is for group, and the third bit is for everyone else. Check out the following table for more information:

Finally, when you share files within a group of users, there are chances that someone deletes the file that is required by other users. Sticky bit can protect these file from deletion. When sticky bit is set, only the owner or a user with root privileges can delete a file.

You can set sticky bit with the command chmod as $chmod +t directoryName. Sticky bit is shown in long listing (ls -l) with symbol t or T. Additionally, sticky bit works only with directories and is ignored on ordinary files.

Many times when working as a root user, all files and directories created are owned by root. A non-root user can't write to these directories or files. You can use the command chown to change the ownership of such files and assign them to respective users.

To change ownership of a file, use the following command:

$chown newuser filename

To change the owner as well as the group of file, use the following command:

$chown newuser:newgroup filename

You can skip changing owner and change only the group with the following command:

$chown :newgroup filename

Note that the chown command can only be used by users with root privileges.

You will need a root account or an account with root privileges.

Follow these steps to get the root privileges with sudo:

All sudo access rules are configured in a file located at /etc/sudoers. This file contains a list of users and groups that are allowed to use the sudo command:

alan ALL=(ALL:ALL)ALL // allow sudo access to user alan
%sudo  ALL=(ALL)  ALL // allow sudo access to members of sudo

The line alan ALL=(ALL:ALL) ALL specifies that the user alan can run any command as any user and optionally set any group (taken from man pages for sudoers: man sudoers).

The entry %sudo ALL=(ALL) ALL specifies that any member of system group sudo can run any command as any user.

All we have to do is add a new user to the group sudo and that user will automatically get sudo privileges. After getting the membership of the sudo group, user needs to log out and log back in for the changes to take effect. Basically, the user shell needs to be restarted with new privileges. Optionally, you can always go and change the sudoers file for a specific condition.

Here, we will discuss how to set a password-less sudo and some additional benefits of sudo.

User account with root privileges is required.

Following are the steps to set the resource limits:

PAM stands for pluggable authentication module. The PAM module pam_limits.so provides functionality to set a cap on resource utilization. The command ulimit can be used to view current limits as well as set new limits for a session. The default values used by pam_limits.so can be set in /etc/security/limits.conf.

In this recipe, we are updating limits.conf to set a limit on CPU uses by user username. Limits set by the ulimit command are limited to that session. To set the limits permanently, we need to set them in the limits.conf file.

The syntax of the limits.conf file is as follows:

<domain> <type> <item> <value>

Here, <domain> can be a username, a group name, or a wildcard entry.

<type> denotes the type of the limit and it can have the following values:

<item> is the resource to set the limit for. You can get a list of all items with $ulimit –a:

In our example, we have set soft limit on CPU uses to 0 minutes and hard limit to 1000 minutes. You can changes soft limit values with the ulimit command. To view existing limits on open files, use the command $ulimit -n. To change limits on open files, pass the new limit as follows:

$ulimit -n 4096

An unprivileged process can only set its soft limit value between 0 and hard limit, and it can irreversibly lower hard limit. A privileged process can change either limit values.

The command ulimit can be used to set limits on per process basis. You can't use the ulimit command to limit resources at the user level. You can use cgroups to set a cap on resource use.

You might need root privileges for certain tasks.

Follow these steps to set up public key authentication:

Logging in with SSH supports different authentication methods. Public key authentication and password-based authentication are two common methods. To log in with public key authentication, we need a public private key pair. We generate this key pair with the ssh-keygen command. This command creates two files under the .ssh directory in the user's home:

You can view the contents of the files with $cat id_rsa.pub. It should start with something like ssh-rsa AAAA...(except for the trailing dots).

We then copy the contents of public key to the server's authorized_keys file. Ensure that all contents are listed on single line in the authorized_keys file.

Also, ensure the permissions are properly set for the .ssh directory, and ensure that the authorized_keys file and directory are owned by the user. The permissions for the .ssh directory limits read, write, and execute permissions to the owner of the file. Similarly, for authorized_keys file, permissions are limited to read and write for owner only. This ensures that no other user can modify the data in the .ssh directory. If these permissions are not properly set, the SSH daemon will raise the warning Permission denied?.

You might be searching for a secure option to install key on server. Here's one way!

If your local system has the ssh-copy-id tool installed, you can directly add your public key to the server's authorized_keys file with a single command:

$ ssh-copy-id john@serverdomain

After providing the password, your local public key will be added to the authorized_keys file under the .ssh directory of the user john.

Follow these steps to secure the user account:

This recipe discussed a few important steps to make user accounts more secure.

A password is the most important aspect in securing user accounts. A weak password can be easily broken with brute force attacks and dictionary attacks. It is always a good idea to avoid password-based authentication, but if you are still using it, then make sure you enforce a strong password policy.

Password authentication is controlled by the PAM module pam_unix, and all settings associated with login are listed at /etc/pam.d/login. An additional configuration file /etc/pam.d/common-password includes values that control password checks.

The following line in the primary block of common-password file defines the rules for password complexity:

password [success=1 default=ignore] pam_unix.so obscure sha512

The default setting already defines some basic rules on passwords. The parameter obscure defines some extra checks on password strength. It includes the following:

The other parameter, sha512, states that the new password will be encrypted with the sha512 algorithm. We have set another option, minlen=8, on the same line, adding minimum length complexity to passwords.

Additionally, we have set alphanumeric checks for new passwords with the PAM module pam_cracklib:

password requisite pam_cracklib.so ucredit=-1 lcredit=-1 dcredit=-1  ocredit=-1

The preceding line adds requirement of one uppercase letter, one lowercase letter, one digit (dcredit), and one special character (ocredit)

There are other PAM modules available, and you can search them with the following command:

$ apt-cache search limpam-

You might also want to secure the home directory of users. The default permissions on Ubuntu allow read and execute access to everyone. You can limit the access on the home directory by changing permission on the home directory as required. In the preceding example, we changed permissions to 750. This allows full access to the user, and allows read and execute access to the user's primary group.

You can also change the default permissions on the user's home directory by changing settings for the adduser command. These values are located at /etc/adduser.conf. We have changed default permissions to 750, which limits access to the user and the group only.

Additionally, you can disable remote login for the root account as well as disable password-based authentication. Public key authentication is always more secure than passwords, unless you can secure your private keys. Before disabling password authentication, ensure that you have properly enabled public key authentication and you are able to log in with your keys. Otherwise, you will lock yourself out of the server.

You might want to install a tool like fail2ban to watch and block repeated failed actions. It scans through access logs and automatically blocks repeated failed login attempts. This can be a handy tool to provide a security against brute force attacks.