How to manage a second user on an amazon ec2 node

In this tutorial, we are going to see how to manage a second user on Amazon Web Service Elastic Compute (AWS EC2). When a node is launched it allows the user (us) to either choose an existing Permission Key or create a new one. No matter the choice, whichever option is chosen , a permission key is and will be the only way to log into any of the linux node. That permission is tied to only a user which is automatically generated and is the default user in the system. We will be using Ubuntu for this tutorial and the default generated user is ubuntu which happens to be a sudoer as well.

There are situations where one does not wish to share the only access to the system with any other person and based on various policies and various organizations, every system user ought to have his/her own login credentials for audit purpose etc. So let’s say I wanted to create an account for Arnold Schwarzenegger 😀 to deploy an application he has developed. In this tutorial, we will see how arnold will have a sudo total privilege and how he will be created with limited privileges.

Let’s log into our ubuntu instance

$ ssh -i ByakuganAccessKeyPair.pem [email protected]

Let’s create an user account for arnold

sudo adduser arnold
sudo: unable to resolve host ip-172-30-0-189
Adding user <code>arnold' ...
Adding new group </code>arnold' (1001) ...
Adding new user <code>arnold' (1001) with group </code>arnold' ...
Creating home directory <code>/home/arnold' ...
Copying files from </code>/etc/skel' ...

#here were prompted to enter arnold's password

Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully
Changing the user information for arnold

#here we are asked for details about arnold

Enter the new value, or press ENTER for the default
	Full Name []: Arnold Schwarzenegger
	Room Number []: 
	Work Phone []: 
	Home Phone []: 
	Other []: 
#here we are asked for confirmation

Is the information correct? [Y/n] y

Now that we have an account for Arnold , we need to login as Arnold in order to generate a key for his account.

$ su arnold

#here we are prompted for arnold's password
Password:

When the correct password is entered we will now act as arnold even though we logged in as ubuntu user and the linux prompt would display something similar to the following

[email protected]:/home/ubuntu$

Obviously your hostname would be different from ip-172-30-0-189 where 172.30.0.189 is the private IP of the node. Le’ts go to Arnold’s home folder and generate his login key

$ cd 
$ ssh-keygen -b 1024 -f arnold.pem -t dsa
Generating public/private dsa key pair.

#here we are prompted for a passphrase. We ignored this part by pressing enter twice. So there is no passphrase needed for our purpose

Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 

Your identification has been saved in arnold.pem.
Your public key has been saved in arnold.pem.pub.
The key fingerprint is: blablabla and ramdomart blablabla

Before we continue let’s take some time to explain our commands.

  • ssh keys are ways to identify trusted computers mainly or trusted individuals without involving password in the process of authentication.
  • ssh-keygen is an linux/unix utility to create,manage,convert ssh keys.
  • the -b switch indicates the number of bits of the key. here we used 1024
  • the -f switch only indicates the name of the file we want the key to be generated in. without that file name it will be generated in the default file /home/you/.ssh/id_rsa)
  • the -t switch indicates the type of key we want which is dsa. The other option is also rsa . In case you need more information about rsa and dsa please check out this security.stackexchange.com post

Now our command would have created a pair of keys for us, the puclic key arnold.pem.pub and the private key arnold.pem. In order for our node to give ssh access to arnold it needs to be instructed on which key to authorized. That is done with a special file that should be located in the home folder of each user needing the ssh key authentication: /home/you/.ssh/authorized_keys

Let’s then setup our authorized key for arnold. Remember we are still logged in as Arnold and in Arnold’s home folder.

# ~ indicates the relative home folder of the currently logged user
[email protected]:~$ mkdir .ssh

# copying Arnold's public key to his authorized_keys

[email protected]:~$ cat  arnold.pem.pub > .ssh/authorized_keys

#let's exit Arnolds' account to our account Ubuntu to gain more privileges for a number of commands which would follow

[email protected]:~$ exit

We will need to set the right privileges for both the .ssh folder and the authorized_keys file. the folder needs to be of the permission 700 and the file of the permission 600. For some reasons, the group owner of the folder and file needs to be of the group of user with which the node is created, which is ubuntu in this case.

[email protected]:~$ cd /home/arnold
[email protected]:/home/arnold$ sudo chown -R arnold:ubuntu .ssh

# Changing the permission on the folder with read-write-execute for arnold

[email protected]:/home/arnold$ sudo chmod 700 .ssh/

# Changing the permission on the file with read-write for arnold

[email protected]:/home/arnold$ sudo chmod 600 .ssh/authorized_keys

Now Based on your requirement, you can either leave arnold as such or elevate arnold to suoder level.

Privileges for Anorld

We are going to edit the sudoer file and it’s recommended to edit the file with a special file editor meant for that which has the merit to validate some of the things we will put there. In some machined you can be asked to choose which of your editor you want visudo to mimic: nano,vim, forgotten the third one 😀 . Be extra careful when playing around with this file, you might totally loose control of your box if you make any stupid mistake, we classify that type of mistake as Monkeyfication

Full Sudoer with password when going sudo mode

#this command will open the /etc/sudoer file. 
[email protected]:/home/arnold$ sudo visudo

You can actually add the our entry at the bottom of the sudoer file but I follow some of the grouping of the file . So it’s more of a personal approach, you are free to edit the file where you want.

#Locate the part root    ALL=(ALL:ALL) ALL and append the following save and exit:
arnold    ALL=(ALL) ALL

Full Sudoer without password when going sudo mode

#this command will open the /etc/sudoer file. 
[email protected]:/home/arnold$ sudo visudo
#Locate the part root    ALL=(ALL:ALL) ALL and append the following save and exit:
arnold    ALL=(ALL) NOPASSWD:ALL

Limited Sudoer with password when going sudo mode

Here I am referring to Limited to illustrate that the user only has a limited set of command he/she can perform and that is still defined in the sudoer file with the Command Alias strategy. In order to avoid repetition, it’s best to assign a command alias to a group rather than to a user. Let’s say we wanted to have a group of deployers.

So let’s create our secondary group deployers and add arnold to that group

# creating the deployers group
sudo groupadd deployers

#adding arnold to the deployers group
sudo usermod -a -G deployers arnold

That done, let’s edit our sudoer file and have it look like the following

# adding the set of command we want to allow to our deployers group

Cmnd_Alias  DEPLOYERS = /etc/init.d/tomcat7,/sbin/sh,/usr/bin/less,/usr/bin/nano,/bin/rm,/usr/find,/usr/bin/unzip,/usr/bin/tail,/usr/bin/touch,/usr/bin/tar,/bin/cp,/bin/mv,/etc/init.d/tomcat7,/usr/bin/mysql,/bin/mkdir

#adding the deployers group to the sudoers limited to the DEPLOYERS command alias

%deployers ALL=(ALL) DEPLOYERS

with this alias we are allowing the following

  • tomcat7 utility file in init.d
  • sh to execute some shell programs
  • less utility t peek into large files
  • ability to use nano file editor
  • ability to remove a file
  • ability to use find to search for files
  • ability to use unzip
  • ability to use tail command to follow some files
  • ability to use touch command to create files
  • ability to use tar command to compress decompress etc
  • ability to use cp command to cp folders and files
  • ability to use mv to rename or move folders and files
  • ability to use mysql client
  • ability to use mkdir command to create some folders

Now that all access control matters are solve we will need to get the arnold.pem private key file to Arnold Schwarzenegger to login with. You can either open the file using less command and copy the file and paste it somewhere on your own machine by opening gedit or sublime, or download it using scp/winscp to your machine.

To check if everything is alright, lets connect back using Arnold’s credentials

$ ssh -i arnold.pem [email protected]

Voila!! you are up . Thanks for reading this

Leave a Comment

Your email address will not be published. Required fields are marked *

captcha * Time limit is exhausted. Please reload the CAPTCHA.