Tutorial, Ubuntu

Giving a Remote Dev Firm SSH Access to your Ubuntu Server

I am working with a website dev team and I now need them to upload the deliverables to my server. I want to make sure they can do whatever they need but also able to disable / remove their user access after the deliverables have been delivered. This tutorial gives a quick (but not super secure way) to hand over SSH access to an Ubuntu server.

1. Create server username for new user

Assuming you are logged into your Ubuntu server, in this command we will create the new user on the server. You will need to already be logged into server with super admin powers to create a user. You should also have your password manager software ready (I recommend KeepassXC since it’s awesome) as you will need to save this info to share with team. I will use the name ‘devteam’ for this example

adduser devteam

New password: enter it!
Retype new password: enter it again!

You should see:

passwd: password updated successfully
Changing the user information for devteam
Enter the new value, or press ENTER for the default
Full Name []: Devteam (blank is fine)
Room Number []:(blank is fine)
Work Phone []: (blank is fine)
Home Phone []: (blank is fine)
Other []: (blank is fine)
Is the information correct? [Y/n] y

After that you’ll be taken back to command prompt showing everything is done.

2. Give sudo power to new user

NOTE: You are about to give full power to this user. Be sure you are ok with this. This next command will give the user the power to pretty much do anything they want. Don’t do this if you aren’t ready to face those risks.

Add ‘devteam’ user to the super user group:

sudo usermod -aG sudo devteam

After entering this you should be taken back to command line showing it’s done.

3. Test the user to make sure it’s working and has super powers

Before handing this off to someone, we should make sure it’s working the way we need:

  • switch to this new username and enter password when prompted: su devteam
    (you should see now ‘devteam@server-name’` in the command line prompt if you are now the new user
  • try a harmless command that requires sudo powers to see if devteam has enough: sudo apt update

You should have been able to run an update after entering password.

4. Allowing plaintext password ssh authentication

Most of the tutorials out there for giving user ssh access were suggesting to add this line to the sshd_config file:
AllowUsers devteam

However, as soon as I did this and saved these changes on my Digital Ocean ubuntu server, I was locked out immediately from all ssh access – including root. Not good. Thankfully there was the recovery console through DO but if I didn’t have that, I’d be messed up bad. I don’t know why this happened and sadly I don’t have time to figure it out.

Now, to be clear, I’m not a security person but I’m guessing that using a username with plain text passwords is not a great way to do SSH. Probably the pub / private key method is the best and most secure way to do this. However, I didn’t need security, I just needed fast ‘reasonably secure’ way to let a dev team upload their stuff and do some stuff in the server. As such the following worked very well and quickly for me. I will disable this after the work is done:

  • edit the ssh config file: sudo nano /etc/ssh/sshd_config
  • around line 58 change PasswordAuthentication no to PasswordAuthentication yes
  • restart SSH : sudo service sshd restart
  • exit out completely of the server exit (exit, exit, etc etc)
  • try logging in with regular clear text username and pw to your server (obviously 123 is fake IP address): ssh devteam@

When the work is completed by the third party ‘devteam’, consider disabling this feature again to prevent plain text user/pw attempts on your server.

Tagged , ,

Leave a Reply

Your email address will not be published. Required fields are marked *