In this tutorial, we are going to see how to manage a second user on Amazon Web Service Elastic Compute (AWS EC2). When a node is launched it allows the user (us) to either choose an existing Permission Key or create a new one. No matter the choice, whichever option is chosen , a permission key is and will be the only way to log into any of the linux node. That permission is tied to only a user which is automatically generated and is the default user in the system. We will be using Ubuntu for this tutorial and the default generated user is ubuntu which happens to be a sudoer as well.
There are situations where one does not wish to share the only access to the system with any other person and based on various policies and various organizations, every system user ought to have his/her own login credentials for audit purpose etc. So let’s say I wanted to create an account for Arnold Schwarzenegger 😀 to deploy an application he has developed. In this tutorial, we will see how arnold will have a sudo total privilege and how he will be created with limited privileges.
Let’s log into our ubuntu instance
[bash]
$ ssh -i ByakuganAccessKeyPair.pem ubuntu@someip
[/bash]
Let’s create an user account for arnold
[bash]
sudo adduser arnold
sudo: unable to resolve host ip-172-30-0-189
Adding user arnold' ...
arnold’ (1001) …
Adding new group
Adding new user arnold' (1001) with group
arnold’ …
Creating home directory /home/arnold' ...
/etc/skel’ …
Copying files from
#here were prompted to enter arnold’s password
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for arnold
#here we are asked for details about arnold
Enter the new value, or press ENTER for the default
Full Name []: Arnold Schwarzenegger
Room Number []:
Work Phone []:
Home Phone []:
Other []:
#here we are asked for confirmation
Is the information correct? [Y/n] y
[/bash]
Now that we have an account for Arnold , we need to login as Arnold in order to generate a key for his account.
[bash]
$ su arnold
#here we are prompted for arnold’s password
Password:
[/bash]
When the correct password is entered we will now act as arnold even though we logged in as ubuntu user and the linux prompt would display something similar to the following
[bash]
arnold@ip-172-30-0-189:/home/ubuntu$
[/bash]
Obviously your hostname would be different from ip-172-30-0-189 where 172.30.0.189 is the private IP of the node. Le’ts go to Arnold’s home folder and generate his login key
[bash]
$ cd
$ ssh-keygen -b 1024 -f arnold.pem -t dsa
Generating public/private dsa key pair.
#here we are prompted for a passphrase. We ignored this part by pressing enter twice. So there is no passphrase needed for our purpose
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in arnold.pem.
Your public key has been saved in arnold.pem.pub.
The key fingerprint is: blablabla and ramdomart blablabla
[/bash]
Before we continue let’s take some time to explain our commands.
- ssh keys are ways to identify trusted computers mainly or trusted individuals without involving password in the process of authentication.
- ssh-keygen is an linux/unix utility to create,manage,convert ssh keys.
- the -b switch indicates the number of bits of the key. here we used 1024
- the -f switch only indicates the name of the file we want the key to be generated in. without that file name it will be generated in the default file /home/you/.ssh/id_rsa)
- the -t switch indicates the type of key we want which is dsa. The other option is also rsa . In case you need more information about rsa and dsa please check out this security.stackexchange.com post
Now our command would have created a pair of keys for us, the puclic key arnold.pem.pub and the private key arnold.pem. In order for our node to give ssh access to arnold it needs to be instructed on which key to authorized. That is done with a special file that should be located in the home folder of each user needing the ssh key authentication: /home/you/.ssh/authorized_keys
Let’s then setup our authorized key for arnold. Remember we are still logged in as Arnold and in Arnold’s home folder.
[bash]
# ~ indicates the relative home folder of the currently logged user
arnold@ip-172-30-0-189:~$ mkdir .ssh
# copying Arnold’s public key to his authorized_keys
arnold@ip-172-30-0-189:~$ cat arnold.pem.pub > .ssh/authorized_keys
#let’s exit Arnolds’ account to our account Ubuntu to gain more privileges for a number of commands which would follow
arnold@ip-172-30-0-189:~$ exit
[/bash]
We will need to set the right privileges for both the .ssh folder and the authorized_keys file. the folder needs to be of the permission 700 and the file of the permission 600. For some reasons, the group owner of the folder and file needs to be of the group of user with which the node is created, which is ubuntu in this case.
[bash]
ubuntu@ip-172-30-0-189:~$ cd /home/arnold
ubuntu@ip-172-30-0-189:/home/arnold$ sudo chown -R arnold:ubuntu .ssh
# Changing the permission on the folder with read-write-execute for arnold
ubuntu@ip-172-30-0-189:/home/arnold$ sudo chmod 700 .ssh/
# Changing the permission on the file with read-write for arnold
ubuntu@ip-172-30-0-189:/home/arnold$ sudo chmod 600 .ssh/authorized_keys
[/bash]
Now Based on your requirement, you can either leave arnold as such or elevate arnold to suoder level.
Privileges for Anorld
We are going to edit the sudoer file and it’s recommended to edit the file with a special file editor meant for that which has the merit to validate some of the things we will put there. In some machined you can be asked to choose which of your editor you want visudo to mimic: nano,vim, forgotten the third one 😀 . Be extra careful when playing around with this file, you might totally loose control of your box if you make any stupid mistake, we classify that type of mistake as Monkeyfication
Full Sudoer with password when going sudo mode
[bash]
#this command will open the /etc/sudoer file.
ubuntu@ip-172-30-0-189:/home/arnold$ sudo visudo
[/bash]
You can actually add the our entry at the bottom of the sudoer file but I follow some of the grouping of the file . So it’s more of a personal approach, you are free to edit the file where you want.
[bash]
#Locate the part root ALL=(ALL:ALL) ALL and append the following save and exit:
arnold ALL=(ALL) ALL
[/bash]
Full Sudoer without password when going sudo mode
[bash]
#this command will open the /etc/sudoer file.
ubuntu@ip-172-30-0-189:/home/arnold$ sudo visudo
[/bash]
[bash]
#Locate the part root ALL=(ALL:ALL) ALL and append the following save and exit:
arnold ALL=(ALL) NOPASSWD:ALL
[/bash]
Limited Sudoer with password when going sudo mode
Here I am referring to Limited to illustrate that the user only has a limited set of command he/she can perform and that is still defined in the sudoer file with the Command Alias strategy. In order to avoid repetition, it’s best to assign a command alias to a group rather than to a user. Let’s say we wanted to have a group of deployers.
So let’s create our secondary group deployers and add arnold to that group
[bash]
# creating the deployers group
sudo groupadd deployers
#adding arnold to the deployers group
sudo usermod -a -G deployers arnold
[/bash]
That done, let’s edit our sudoer file and have it look like the following
[bash]
# adding the set of command we want to allow to our deployers group
Cmnd_Alias DEPLOYERS = /etc/init.d/tomcat7,/sbin/sh,/usr/bin/less,/usr/bin/nano,/bin/rm,/usr/find,/usr/bin/unzip,/usr/bin/tail,/usr/bin/touch,/usr/bin/tar,/bin/cp,/bin/mv,/etc/init.d/tomcat7,/usr/bin/mysql,/bin/mkdir
#adding the deployers group to the sudoers limited to the DEPLOYERS command alias
%deployers ALL=(ALL) DEPLOYERS
[/bash]
with this alias we are allowing the following
- tomcat7 utility file in init.d
- sh to execute some shell programs
- less utility t peek into large files
- ability to use nano file editor
- ability to remove a file
- ability to use find to search for files
- ability to use unzip
- ability to use tail command to follow some files
- ability to use touch command to create files
- ability to use tar command to compress decompress etc
- ability to use cp command to cp folders and files
- ability to use mv to rename or move folders and files
- ability to use mysql client
- ability to use mkdir command to create some folders
Now that all access control matters are solve we will need to get the arnold.pem private key file to Arnold Schwarzenegger to login with. You can either open the file using less command and copy the file and paste it somewhere on your own machine by opening gedit or sublime, or download it using scp/winscp to your machine.
To check if everything is alright, lets connect back using Arnold’s credentials
[bash]
$ ssh -i arnold.pem arnold@somesameip
[/bash]
Voila!! you are up . Thanks for reading this