Create a New User
Here, we’ll create a new user named
kaladin and give it
sudo privileges. DO NOT log out of the Ubuntu server until you have verified that the new account is viable for connection.
adduser kaladin user mod -a -G sudo
Setup SSH Keys
If you need to create SSH keys, please see GitHub’s Generating a new SSH key and adding it to the ssh-agent.
When I created my Linode, I already had an ssh key on my Mac that is ready to use. It was added through the UI when setting up the VPS; however, it only appears in the
authorized_hosts file for the
root user at this point.
We’ll move a key from our local Mac to the
home directory of the newly created user,
kaladin. This process works because it assumes that there is no
~/.ssh directory — in other words, that
kaladin is a completely new user account (viz that there are no keys present in the
id_ed25519.pub to server
Here we’ll use the secure copy command in the terminal on our Mac to copy the public key to the
scp ~/.ssh/id_ed25519.pub [email protected]
So that should have copied our public ssh key to the server. You should still be logged in as
root. We will now create, populate, and set permissions for a
.ssh directory in the home directory for
kaladin. You should find the ssh key we uploaded at
cd ~kaladin mkdir .ssh mv id_ed25519.pub .ssh/authorized_keys chown -R kaladin:kaladin .ssh chmod 700 .ssh chmod 600 .ssh/authorized_keys
ls -liah to view the folder contents of
kaladin. You should see something like this:
263883 drwx------ 2 kaladin kaladin 4.0K Jul 6 19:00 .ssh
Open up a second terminal window on your local machine. Try to login as
kaladin. Assuming you are successful, exit the session as
root. Everything that follows assumes you are logged in as
kaladin and not
root & Change the SSH Port
We will now edit the
ssh_config file to eliminate root access and make things a little more secure.
sudo nano /etc/ssh/sshd_config
At the bottom of the file add these overrides. All text below is not present by default in the
#### Overrides ##### Port 333 PermitRootLogin no AllowUsers kaladin LoginGraceTime 1m ClientAliveInterval 600 ClientAliveCountMax 0
Save the changes you’ve made and then restart the ssh service in order for the changes to take effect:
sudo systemctl restart ssh
Explanations about sshd_config settings
About Changing the Default SSH port number
There is a lot of discussion around whether changing the ssh port number is a net good and if it actually improves security. I have opted to change the default. There are reasons to not if your server engages entities that assume and cannot be configured for port numbers other than the default
Should I change the default SSH port on linux servers? is a Stack Overflow posts that can bring you up to speed on whether, why and to what you may want to change the default ssh port number.
If you do change the default port number it is important that you pick an open port that is less than 1024. Assigning a reserved port (i.e., greater than 1024) can open your server up to DoS attack.
By setting this to
No we disallow anyone to ssh into the server as
root. Remember, you can use the
sudo command to activate
root privileges for
Here we limit only users authenticated as
kaladin to ssh into the server from anywhere.
If you’d like to learn how to limit user access from specific locations, see the Linux Security Cookbook by Barrett, Silverman, and Byrnes: 3.14. Restricting Access to an SSH Server by Account.
Documentation is underrated. Checkout the
man pages for
The server disconnects after this time if the user has not successfully logged in. If the value is 0, there is no time limit. The default is 120 seconds.Oracle’s man pages for sshd_config
ClientAliveCountMax & ClientAliveInterval
ClientAliveInterval are used in tandem in determining how and for how long to keep the ssh connection alive.
ClientAliveInterval determine the number of seconds before the ssh service sends a client alive message to the ssh client.
ClientAliveCountMax is how many times the ssh service will allow no response before killing the connection.
Essentially, we’re configuring a timeout for each ssh connection that could be thought of like this:
Timeout = ClientAliveInterval * (ClientAliveCountMax + 1).
In the above configuration we had:
ClientAliveInterval 600 ClientAliveCountMax 0
This means after 10 minutes the ssh service will send a null packet. The ssh service will not retry after the first interval.