Shulou(Shulou.com)06/01 Report--

Editor to share with you how CentOS new users and enable key login, I believe that most people do not know much, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

CentOS has only one root user by default, but the authority of the root user is too large, and it is not conducive to multi-person cooperation. For the reasons of rights management and security, we create a new user for the system, enable its SSH login, and prohibit the login of root users.

Based on CentOS Linux release 7.6.1810 (Core) practice

New user

In CentOS, there is no difference between adduser and useradd:

[root@centos_7_6_1810 ~] # ll / usr/sbin/ | grep userlrwxrwxrwx 1 root root 7 Jun 24 10:14 adduser-> useradd-rwxr-xr-x. 1 root root 33104 Aug 3 2017 fuser-rwxr-xr-x. 1 root root 15832 Apr 13 2018 lnewusers-rwxr-xr-x. 1 root root 15752 Apr 13 2018 luseradd-rwxr-xr-x. 1 root root 11576 Apr 13 2018 luserdel-rwxr-xr-x. 1 root root 19896 Apr 13 2018 lusermod-rwxr-xr-x 1 root root 76232 Mar 14 2019 newusers-rwxr-xr-x 1 root root 33072 Mar 14 2019 runuser-rwxr-xr-x. 1 root root 19720 Apr 11 2018 sasldblistusers2-rwxr-x--- 1 root root 118224 Mar 14 2019 useradd-rwxr-x--- 1 root root 80400 Mar 14 2019 userdel-rwxr-x--- 1 root root 113856 Mar 14 2019 usermod-rwsr-xr-x. 1 root root 11376 Oct 31 2018 usernetctl

As can be seen from the above command, adduser is just a soft connection to the useradd command.

With regard to soft connections, you can temporarily think of it as a shortcut in the Windows system

Use the useradd command to create a new user:

[root@centos_7_6_1810 ~] # useradd Luizao [root @ centos_7_6_1810 ~] # ls / home/luizyao

In most Linux distributions, the useradd command does not create a corresponding user directory under / home/. If you want to do so, you need to add the-m (--create-home) option to the command; however, CentOS will automatically create this user directory for us.

If we want to log in to the system with this user name, we must set a password for it:

[root@centos_7_6_1810 ~] # passwd luizyaoChanging password for user luizyao.New password:Retype new password:passwd: all authentication tokens updated successfully.

We can then use this user to log in to the system:

[luizyao@centos_7_6_1810 ~] $whoamiluizyao authorizes new users

Usually, new users have full permissions under their own user directory (/ home/luizyao/), and other directories need to be authorized by others; and what we most commonly use is the permissions of root users, when the sudo command can help us: it allows trusted users to execute commands as other users, using root users by default

The new user is not on the trust list, so we cannot use the root user identity to execute the command:

Note: at this point, log in to the system as a new user

[luizyao@centos_7_6_1810 /] $sudo whoami [sudo] password for luizyao:luizyao is not in the sudoers file. This incident will be reported.

In CentOS, we have two ways to add new users to the Sudoers list:

Note: at this point, log in to the system as root

Method 1: add new users to the wheel user group

For systems based on RedHat distributions, such as CentOS and Fedora, the user group wheel has been granted permission to sudo; therefore, we can obtain the permission to sudo by adding new users to the wheel user group:

[root@centos_7_6_1810 ~] # groups luizyaoluizyao: Luizyao [root @ centos_7_6_1810 ~] # usermod-aG wheel Luizyao [root @ centos_7_6_1810 ~] # groups luizyaoluizyao: luizyao wheel

We add new users to the wheel user group through the usermod command, and we can use the groups command to view the user group to which the user belongs

At this point, new users can execute commands with the authority of root:

[luizyao@centos_7_6_1810 root] $sudo whoami [sudo] password for luizyao:root

Note:

In this way, to execute the sudo command, you need to enter the password of the new user because this is the default configuration for the wheel user group, as shown below:

# / etc/sudoers106 # # Allows people in group wheel to run all commands107% wheel ALL= (ALL) ALL108109 # # Same thing without a password110 #% wheel ALL= (ALL) NOPASSWD: ALL

Removes a user from a user group. You can use the following command:

[root@centos_7_6_1810 ~] # gpasswd-d luizyao wheelRemoving user luizyao from group wheel [root @ centos_7_6_1810 ~] # groups luizyaoluizyao: luizyao

Method 2: add new users to the sudoers list

In the / etc/sudoers file, you can configure sudo permissions for users and user groups, which is a bit more flexible, and there are two ways to configure permissions for new users:

1. You can configure the permissions of the new user directly in the / etc/sudoers file, but note that the default permissions for this file are read-only, so you need to add write permissions first, and then revert to read-only after editing

Please use the visodu command to modify the / etc/sudoers file, as it will help you check for syntax errors

two。 You can also add a special profile for new users under the / etc/sudoers.d directory (recommended):

Bash [root@centos_7_6_1810 ~] # echo "luizyao ALL= (ALL) NOPASSWD:ALL" | tee / etc/sudoers.d/luizyao luizyao ALL= (ALL) NOPASSWD:ALL [root@centos_7_6_1810 ~] # ll / etc/sudoers.d/luizyao-rw-r--r-- 1 root root 32 Sep 17 17:51 / etc/sudoers.d/luizyao

The above command indicates that luizyao can execute any command (third ALL) on any host (the first ALL) as any user (the second ALL, the default is root) and does not require a password:

[luizyao@centos_7_6_1810 root] $sudo whoamiroot

Note: the name of the file can be arbitrary, but usually we will configure it as a user name

New user enables SSH key login

At this point, log in to the system as a new user

Create a key pair:

[luizyao@centos_7_6_1810 ~] $ssh-keygen-t ecdsa # Elliptic curve digital signature algorithm Generating public/private ecdsa key pair.Enter file in which to save the key (/ home/luizyao/.ssh/id_ecdsa): # Select the folder where the key pair is stored Created directory'/ home/luizyao/.ssh'.Enter passphrase (empty for no passphrase): # password of the private key Enter same passphrase again: # confirm the private key password Your identification Has been saved in / home/luizyao/.ssh/id_ecdsa.Your public key has been saved in / home/luizyao/.ssh/id_ecdsa.pub.The key fingerprint is:SHA256:FljQN9JFxB/C83Mv7N3rFNLCxXICRxaKzKDb+Tzsgwo luizyao@centos_7_6_1810The key's randomart image is:+--- [ECDSA 256]-+ |. +.. Buckleberry. | | .o * = X o | |. . * o B = | | o.. . X. | |. OS = =. |. + = o | | E. =. +. | |. .... O o | |. .. .o. | +-[SHA256]-+

Download the private key locally:

Practice based on Mac OS

Use the scp command to download the private key:

YaomengdeMacBook-Air:~ yaomeng$ scp luizyao@:/home/luizyao/.ssh/id_ecdsa / .ssh/

At this point, we still need a password to log in:

YaomengdeMacBook-Air:~ yaomeng$ ssh luizyao@Enter passphrase for key "/ Users/yaomeng/.ssh/id_ecdsa": # enter the private key password, login failed luizyao@www.luizyao.com password: # luizyao user password Last login: Tue Sep 17 22:50:22 2019

SSH secret-free login

Rename the public key to authorized_keys:

[luizyao@centos_7_6_1810] $mv ~ / .ssh/id_ecdsa.pub ~ / .ssh/authorized_ Keys [Luizyao @ centos_7_6_1810 ~] $ll ~ / .ssh/total 8 RWKui RWKui Rakoto-1 luizyao luizyao 185 Sep 17 22:58 authorized_keys-rw- 1 luizyao luizyao 314 Sep 17 22:58 id_ecdsa

Note:

Since I don't have an authorized_keys file before, I'll just rename it here; if you already have an authorized_keys file, you can add the public key to the end of the file using the following command:

Cat > > ~ / .ssh/authorized_keys < ~ / .ssh/id_ecdsa.pub

Note that the authorized_keys file, the ~ / .ssh/ directory, or the user's home directory (/ home/luizyao/) gives write permission to other users, then sshd determines that the file is no longer safe and will not use this file unless you have set StrictModes to no

You can view the help documentation with the man sshd command:

Ssh/authorized_keys Lists the public keys (DSA, ECDSA, Ed25519, RSA) that can be used for logging in as this user. The format of this file is described above. The con- tent of the file is not highly sensitive, but the recommended permissions are read/write for the user, and not accessible by others. If this file, the /. Ssh directory, or the user's home directory are writable by other users, then the file could be modified or replaced by unautho- rized users. In this case, sshd will not allow it to be used unless the StrictModes option has been set to "no".

At this point, we can use SSH secret-free login:

YaomengdeMacBook-Air:~ yaomeng$ ssh luizyao@www.luizyao.comEnter passphrase for key "/ Users/yaomeng/.ssh/id_ecdsa": # Private key password Last login: Wed Sep 18 00:00:41 2019 from 49.65.108.161

To enable SSH password login

Now, we can still log in with a password, which is still not secure. Now let's prohibit the use of a password to log in to the system.

For CentOS systems, you only need to change the PasswordAuthentication in the SSH configuration file / etc/ssh/sshd_config to no

Restart the SSH service:

[luizyao@centos_7_6_1810 ~] $sudo systemctl restart sshd

We have banned the password login of SSH and can only use the key to log in.

Other

To further improve the security of the system, there are a few things we can do:

Prohibit root users from logging in using SSH

Just change the PermitRootLogin in the SSH configuration file / etc/ssh/sshd_config to no, and then restart the SSH service

Use an unconventional SSH port

The default SSH port is 22, which we can modify to a less commonly used port: modify the Port value in the SSH configuration file / etc/ssh/sshd_config (for example: 10178), and then restart the SSH service

We also need to modify the configuration of sshd in the firewall. CentOS 7 uses firewalld firewall by default, and we configure it as follows:

Copy firewalld's default configuration file for ssh to the system configuration folder:

[luizyao@centos_7_6_1810 ~] $sudo cp / usr/lib/firewalld/services/ssh.xml / etc/firewalld/services/

Modify the port configuration in the configuration file:

SSH Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.

Reload firewalld configuration:

[luizyao@centos_7_6_1810 ~] $sudo firewall-cmd-- reloadsuccess prohibits ping

Add the following rules to the firewall and reload the configuration:

[luizyao@centos_7_6_1810 ~] $sudo firewall-cmd-- permanent-- add-icmp-block=echo-reply [luizyao@centos_7_6_1810 ~] $sudo firewall-cmd-- permanent-- add-icmp-block=echo-request [luizyao@centos_7_6_1810 ~] $sudo firewall-cmd-- reload is all the content of the article "how to create a new user and enable key login in CentOS". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.