Table of Contents
- Server User Setup with SSH Key Authentication
- Prerequisites
- Step 1: Generate SSH Keypair (Local Machine)
- Step 2: Create New User on Server (Server Console as Root)
- Step 3: Add User to Sudo Group (Server Console as Root)
- Step 4: Set Up SSH Directory for New User (Server Console as Root)
- Step 5: Add Public Key to Server (Local Machine → Server)
- Step 6: Configure SSH (Optional but Recommended)
- Step 7: Test SSH Connection (Local Machine)
- Step 8: Test Sudo Access (Server as New User)
- Step 9: Disable Root Login and Password Authentication (Server Console)
- Troubleshooting
- Security Best Practices
- Quick Reference Commands
Server User Setup with SSH Key Authentication
This guide covers creating a new user account on a server, setting up SSH key authentication, and configuring sudo access.
Prerequisites
- Console root access to the server
- A local (Linux) machine where you'll generate the SSH keypair
Step 1: Generate SSH Keypair (Local Machine)
On your local Linux machine, generate an SSH keypair:
ssh-keygen -t ed25519 -C "your_email@example.com"
When prompted:
- Enter file in which to save the key: You can specify a custom name, e.g.,
/home/yourusername/.ssh/id_ed25519_servername - Enter passphrase: Choose a strong passphrase (recommended) or leave empty for no passphrase
This creates two files:
id_ed25519_servername- Your private key (keep this secure)id_ed25519_servername.pub- Your public key (this goes on the server)
Alternative: RSA Keys
If you need RSA keys for compatibility:
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
Verify Keys Were Created
ls -la ~/.ssh/
You should see your newly created keypair files.
Step 2: Create New User on Server (Server Console as Root)
Log into your server console as root and create a new user:
adduser username
Replace username with your desired username. You'll be prompted to:
- Set a password
- Enter optional user information (can be left blank)
Step 3: Add User to Sudo Group (Server Console as Root)
Grant sudo privileges to the new user:
usermod -aG sudo username
Verify the user was added to the sudo group:
groups username
Step 4: Set Up SSH Directory for New User (Server Console as Root)
Create the SSH directory and authorized_keys file for your new user:
mkdir -p /home/username/.ssh
touch /home/username/.ssh/authorized_keys
chmod 700 /home/username/.ssh
chmod 600 /home/username/.ssh/authorized_keys
chown -R username:username /home/username/.ssh
Step 5: Add Public Key to Server (Local Machine → Server)
Option A: Copy Public Key Content Manually
On your local machine, display your public key:
cat ~/.ssh/id_ed25519_servername.pub
Copy the entire output, then on your server console (as root):
nano /home/username/.ssh/authorized_keys
Paste the public key content, save (Ctrl+O, Enter), and exit (Ctrl+X).
Option B: Use ssh-copy-id (If SSH is Already Enabled)
If password authentication is still enabled on your server:
ssh-copy-id -i ~/.ssh/id_ed25519_servername.pub username@your_server_ip
Step 6: Configure SSH (Optional but Recommended)
On your local machine, create or edit your SSH config file:
nano ~/.ssh/config
Add an entry for easy connection:
Host servername
HostName your_server_ip_or_domain
User username
IdentityFile ~/.ssh/id_ed25519_servername
Port 22
Save and exit. Now you can connect with just:
ssh servername
Step 7: Test SSH Connection (Local Machine)
Test your SSH connection:
ssh -i ~/.ssh/id_ed25519_servername username@your_server_ip
Or if you configured your SSH config file:
ssh servername
Step 8: Test Sudo Access (Server as New User)
Once logged in as your new user, test sudo access:
sudo whoami
This should return root after entering your password.
Step 9: Disable Root Login and Password Authentication (Server Console)
For security, after confirming SSH key authentication works, disable root login and password authentication.
Edit the SSH daemon configuration:
sudo nano /etc/ssh/sshd_config
Find and modify these lines:
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
Save and exit, then restart SSH:
sudo systemctl restart sshd
Warning: Only do this after confirming you can successfully log in with your SSH key.
Troubleshooting
Permission Denied (publickey)
- Verify public key is correctly added to
~/.ssh/authorized_keyson server - Check file permissions on server (directory: 700, authorized_keys: 600)
- Ensure you're using the correct private key
- Check SSH logs on server:
sudo tail -f /var/log/auth.log
Can't Use Sudo
- Verify user is in sudo group:
groups username - Check
/etc/sudoersfile hasn't been misconfigured
Locked Out After Disabling Password Auth
- Use the server console to access as root
- Re-enable PasswordAuthentication temporarily
- Fix SSH key setup
- Test thoroughly before disabling again
Security Best Practices
- Always use a passphrase for your private keys
- Keep private keys secure - never share them or commit to version control
- Use fail2ban to protect against brute force attacks:
sudo apt install fail2ban sudo systemctl enable fail2ban sudo systemctl start fail2ban - Change the default SSH port (edit
/etc/ssh/sshd_config) - Regularly update your system:
sudo apt update && sudo apt upgrade - Consider using a firewall (ufw):
sudo apt install ufw sudo ufw allow OpenSSH sudo ufw enable
Quick Reference Commands
# Generate SSH key
ssh-keygen -t ed25519 -C "email@example.com"
# Copy public key to server
ssh-copy-id -i ~/.ssh/keyname.pub user@host
# Connect with specific key
ssh -i ~/.ssh/keyname user@host
# Test sudo access
sudo whoami
# View SSH logs (on Server)
sudo tail -f /var/log/auth.log
# Restart SSH daemon
sudo systemctl restart sshd