I am working with a website dev team and I now need them to upload the deliverables to my server. I want to make sure they can do whatever they need but also able to disable / remove their user access after the deliverables have been delivered. This tutorial gives a quick (but not super secure way) to hand over SSH access to an Ubuntu server.
1. Create server username for new user
Assuming you are logged into your Ubuntu server, in this command we will create the new user on the server. You will need to already be logged into server with super admin powers to create a user. You should also have your password manager software ready (I recommend KeepassXC since it’s awesome) as you will need to save this info to share with team. I will use the name ‘devteam’ for this example
adduser devteam
New password: enter it!
Retype new password: enter it again!
You should see:
passwd: password updated successfully
Changing the user information for devteam
Enter the new value, or press ENTER for the default
Full Name []: Devteam (blank is fine)
Room Number []:(blank is fine)
Work Phone []: (blank is fine)
Home Phone []: (blank is fine)
Other []: (blank is fine)
Is the information correct? [Y/n] y
After that you’ll be taken back to command prompt showing everything is done.
2. Give sudo power to new user
NOTE: You are about to give full power to this user. Be sure you are ok with this. This next command will give the user the power to pretty much do anything they want. Don’t do this if you aren’t ready to face those risks.
Add ‘devteam’ user to the super user group:
sudo usermod -aG sudo devteam
After entering this you should be taken back to command line showing it’s done.
3. Test the user to make sure it’s working and has super powers
Before handing this off to someone, we should make sure it’s working the way we need:
- switch to this new username and enter password when prompted:
su devteam
(you should see now ‘devteam@server-name’` in the command line prompt if you are now the new user - try a harmless command that requires sudo powers to see if devteam has enough:
sudo apt update
You should have been able to run an update after entering password.
4. Allowing plaintext password ssh authentication
Most of the tutorials out there for giving user ssh access were suggesting to add this line to the sshd_config file:
AllowUsers devteam
However, as soon as I did this and saved these changes on my Digital Ocean ubuntu server, I was locked out immediately from all ssh access – including root. Not good. Thankfully there was the recovery console through DO but if I didn’t have that, I’d be messed up bad. I don’t know why this happened and sadly I don’t have time to figure it out.
Now, to be clear, I’m not a security person but I’m guessing that using a username with plain text passwords is not a great way to do SSH. Probably the pub / private key method is the best and most secure way to do this. However, I didn’t need security, I just needed fast ‘reasonably secure’ way to let a dev team upload their stuff and do some stuff in the server. As such the following worked very well and quickly for me. I will disable this after the work is done:
- edit the ssh config file:
sudo nano /etc/ssh/sshd_config - around line 58 change PasswordAuthentication no to
PasswordAuthentication yes - restart SSH :
sudo service sshd restart - exit out completely of the server
exit(exit,exit, etc etc) - try logging in with regular clear text username and pw to your server (obviously 123 is fake IP address):
ssh devteam@123.123.123.123
When the work is completed by the third party ‘devteam’, consider disabling this feature again to prevent plain text user/pw attempts on your server.
