how to add user to AWS? adduser command not working - ssh

Hello sorry I am very new to this.
I have a SSH to AWS instance running on Ubuntu; I'm trying to add users to be able to access the server without the key pair
I type '$ sudo adduser' at the command prompt and get this reply "adduser: Only one or two names allowed"
Any ideas on how to add a root user to the account?

You will also need add following pieces of configs in your /etc/ssh/sshd_config at the bottom
Match User user_id1,user_id2,user_id3
PasswordAuthentication yes
Now reload ssh service.
This will activate password based authentications for these new users.

From AWS documentation:
If you are adding a user to an Ubuntu system, you should add the
--disabled-password option to avoid adding a password to the account.
[ec2-user ~]$ sudo adduser newuser

Related

Passwordless keybased authentication not working

this is what I need to realize:
keybased passwordless authentication for user root
passwordbased authentication for any other user than root
Server I need to have access to is running Debian 9 (stretch).
On my client I have I have created a keypair like this: ssh-keygen
This created the following files ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub.
Now I copied the content of ~/.ssh/id_rsa.pub into /root/.ssh/authorized_keys on the server and modified the keyfile with permission 600.
Then I modified the /etc/ssh/sshd_config on server by setting the following values:
PermitRootLogin without-password
PubkeyAuthentication yes
Now I restarted ssh service on server and tried the connection by ssh root#sub.domain.tld.
It still ends in password prompt for user root.
The outcome of ssh -vvv root#sub.domain.tld you can find here (Ubuntu Pastebin).
What did I miss to modify?
Kind regards
//neph
You should follow this tutorial, there's a lot of outdated ones. It worked for me on Ubuntu 19.04.
All you have to do is:
apt-get install libpam-google-authenticator.
Users who want to continue using ssh must each run the command google-authenticator. This tool interatively helps you to create the file ~/.google_authenticator, which contains a shared secret and emergency passcodes. It's a terminal application, but it does still display a QR code for quick loading of the shared secret into your two factor device (in my case, this is the Google Authenticator app on my Android smartphone).
Edit /etc/ssh/sshd_config. Set:
ChallengeResponseAuthentication yes
PasswordAuthentication no
AuthenticationMethods publickey,keyboard-interactive
In case you have changed them in the past, you should also check the following two settings (these are both defaults on Ubuntu):
UsePAM yes
PubkeyAuthentication yes
Run sudo service ssh reload to pick up your changes to /etc/ssh/sshd_config.
Edit /etc/pam.d/sshd and replace the line:
#include common-auth
with:
auth required pam_google_authenticator.so
That's it! Now ssh logins will require a key, and after your key is verified will additionally require proof that you hold your second factor device.

Normal gitlab user with working keys cannot use PubkeyAuthentication to login to bash shell prompt

On an Ubuntu server, 'foo.com', that serves gitlab, a gitlab user, 'bar', can clone, push, and pull without having to use a password, with no problem (public key is set up on the gitlab server for user 'bar').
User 'bar' wants to use the command line on the server 'foo', and does ssh bar#foo.com. When user 'bar's ssh keys are not in 'foo''s authorized_keys, 'bar' is logged momentarily into Gitlab:
debug2: shell request accepted on channel 0
Welcome to GitLab, bar
and then that session promptly exits.
When user 'bar's ssh key - even one that is not registered with GitLab - is in 'foo.com''s authorized_keys, then that user gets the expected result when doing ssh bar#foo.com. However, then user bar (on their local computer) is unable to push, pull, clone, etc. from their gitlab-managed repository, with the error message being that "'some-group/some-project.git' does not appear to be a git repository".
It appears that there is a misconfiguration such that shell access is mixed up with gitlab project access.
How can user 'foo' be able to both login via ssh to a regular shell prompt and also use git normally (interacting with the remote git server from their local box)?
After a lot of searching I got to know why this was happening on my end. I had the same issue. I wanted to use the same SSH key for both SSH login as well as GitLab access.
I found this thread helpful:
https://gist.github.com/hanseartic/368a63933afb7c9f7e6b
In the authorized_keys file, the gitlab-shell enters specific commands to limit the access. It adds the limitation once the user enters the public key through web interface. It uses the command option to do so.
We would need to modify the command option to allow access to bash and remember to remove the option of no-pty if listed in the comma-separated section. For example in my case I had this within the line: no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty and had to remove no-pty from the list.
A sample modified command should look like this:
command="if [ -t 0 ]; then bash; else /home/ec2-user/gitlab_service/gitlab-shell/bin/gitlab-shell key-11; fi",no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-rsa AAA...
Need to be mindful to edit the correct command by checking the key number or the publickey and username associated with the command.
This did not require any service restart.

finding out sudo password on ssh server

I need to do a sudo command on a ssh server.
It asks for password
[sudo] password for myname:
but it's apparently different from the password for ssh server itself.
Can sudo only be used by root?
If not, should I ask the maintenance people for the password?
Or is there a way to set it up myself?
See : http://www.gratisoft.us/sudo/sudoers.man.html
Specifically see rootpw, targetpw , etc.
It is possible to have two different passwords, one for the account and another for the sudo command.
You should ask to the Maintenance people....

how to login to ec2 machine?

I was given some login information for an EC2 machine, basically an ec2-X-X-X.compute-X.amazonaws.com plus a username and password.
How do I access the machine? I tried sshing:
ssh username#ec2-X-X-X.compute-X.amazonaws.com
but I get a Permission denied, please try again. when I enter the password. Is sshing the right way to access the EC2 machine? (Google hits I found suggested that you could ssh into the machine, but they also used keypairs.) Or is it more likely that the problem is that I was given invalid login credentials?
If you are new to AWS and need to access a brand new EC2 instance via ssh, keep in mind that you also need to allow incoming traffic on port 22.
Assuming that the EC2 instance was created accepting all the default wizard suggestions, access to the machine will be guarded by the default security group, which basically prohibits all inbound traffic. Thus:
Go to the AWS console
Choose Security Groups on the left navigation pane
Choose default from the main pane (it may be the only item in the list)
In the bottom pane, choose Inbound, then Create a new rule: SSH
Click Add rule and then Apply Rule Changes
Next, assuming that you are in possession of the private key, do the following:
$ chmod 600 path/to/mykey.pem
$ ssh -i path/to/mykey.pem root#ec2-X-X-X.compute-X.amazonaws.com
My EC2 instance was created from a Ubuntu 32-bit 12.04 image, whose configuration does not allow ssh access to root, and asks you to log in as ubuntu instead:
$ ssh -i path/to/mykey.pem ubuntu#ec2-X-X-X.compute-X.amazonaws.com
Cheers,
Giuseppe
Our Amazon AMI says to "Please login as the ec2-user user rather than root user.", so it looks like each image may have a different login user, e.g.
ssh -i ~/.ssh/mykey.pem ec2-user#ec2-NN-NNN-NN-NN.us-foo-N.compute.amazonaws.com
In short, try root and it will tell you what user you should login as.
[Edit] I'm supposing that you don't have AWS management console credentials for the account, but if you do, then you can navigate to the EC2->Instances panel of AWS Management Console, right click on the machine name and select "Connect..." A list of the available options for logging in will be displayed. You will (or should) need a key to access an instance via ssh. You should have been given this or else it may need to be generated.
If it's a Windows instance, you may need to use Remote Desktop Connection to connect using the IP or host name, and then you'll also need a Windows account login and password.
The process of connecting to an AWS EC2 Linux instance via SSH is covered step-by-step (including the points mentioned below) in this video.
To correct this particular issue with SSH-ing to your EC2 instance:
The ssh command you ran is not in the correct format. It should be:
ssh -i /path/my-key-pair.pem ec2-user#ec2-198-51-100-1.compute-1.amazonaws.com
Note, you need access to the private key (.pem) file to use in the command above. AWS prompts you to download this file when you first launch your instance. You will need to run the following command to ensure that only your root user has read-access to it:
chmod 400 /path/to/yourKeyFile.pem
Depending on your Linux distribution, the user you need to specify when you run ssh may be one of the following:
For Amazon Linux, the user name is ec2-user.
For RHEL, the user name is ec2-user or root.
For Ubuntu, the user name is ubuntu or root.
For Centos, the user name is centos.
For Fedora, the user name is ec2-user.
For SUSE, the user name is ec2-user or root.
Otherwise, if ec2-user and root don't work, check with your AMI provider.
You need to enable an inbound SSH firewall. This can be done under the Security Groups section of AWS. Full details for this piece can be found here.
For this you need to be have a private key it's like keyname.pem.
Open the terminal using ctrl+alt+t.
change the file permission as a 400 or 600 using command chmod 400 keyname.pem or chmod 600 keyname.pem
Open the port 22 in security group.
fire the command on terminal ssh -i keyname.pem username#ec2-X-X-X.compute-X.amazonaws.com
Indeed EC2 (Amazon Elastic Compute Cloud) does not allow password authentication to their instances (linux machines) by default.
The only allowed authentication method is with an SSH key that is created when you create the instance. During creation they allow you to download the SSH key just once, so if you loose it, then you have to regenerate it.
This SSH key is only for the primary user - usually named
"ec2-user" (Amazon Linux, Red Hat Linux, SUSE Linux)
"root" (Red Hat Linux, SUSE Linux)
"ubuntu" (Ubuntu Linux distribution)
"fedora" (Fedora Linux distribution)
or similar (depending on distribution)
See connection instructions: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstances.html
If you want to add a new user the recommended way is to generate and add a new SSH key for the new user, but not specify a password (which would be useless anyway since password authentication is not enabled by default).
Managing additional users: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/managing-users.html
After all if you want to enable password authentication, which lowers down the security and is not recommended, but still you might need to do that for your own specific reasons, then just edit
/etc/ssh/sshd_config
For example:
sudo vim /etc/ssh/sshd_config
find the line that says:
PasswordAuthentication no
and change it to
PasswordAuthentication yes
Then restart the instance
sudo reboot
After restarting, you are free to create additional users with password authentication.
sudo useradd newuser
sudo passwd newuser
Add the new user to the sudoers list:
sudo usermod -a -G sudo newuser
Make sure user home folder exists and is owned by the user
sudo mkdir /home/newuser
sudo chown newuser:newuser /home/newuser
New you are ready to try and login with newuser via ssh.
Authentication with ssh keys will continue to work in parallel with password authentication.

Can connect to EC2 as ubuntu user but not as the user i created

I created a new ebs backed EC2-instance and the necessary key-pair. Now I am able to connect to the instance as ubuntu user. Once i did that I created another user and added it to the sudoers list but I am unable to connect to the instance as the new user I created.
I get the following error. I am using the same key to connect with the new user i created. Can somebody help me. Am I missing something here?
Permission denied (publickey)"
Okay I think i figured it out.
The first technique is to login by password. The idea is to login as the ubuntu user or root user and go to /etc/ssh/sshd_config file and turn the PasswordAuthentication to yes and run
/etc/init.d/ssh reload
If you try to connect now you ec2 allows you to log with the password of the user that was created. Though this is not really secure.
Second is you create a key-pair and copy the id-rsa.pub file and move it to the /home/new-user/.ssh/authorized_keys file and change permissions to 600 and assign to the appropriate user(new-user in this case).
I found this to be amazingly useful
http://blog.taggesell.de/index.php?/archives/73-Managing-Amazon-EC2-SSH-login-and-protecting-your-instances.html
SSH is very picky about the directory and file permissions. Make sure that:
The directory /home/username/.ssh has permission "700" and is owned by the user (not root!)
The /home/username/ssh/authorized_keys has permission "600" and is owned by the user
Copy your public key into the authorized_keys file.
sudo chown -R username:username /home/username/.ssh
sudo chmod 0700 /home/username/.ssh
sudo chmod 0600 /home/username/.ssh/authorized_keys
You can do all that as a root user. There is no need to allow temporarily in /etc/ssh/ssh_config to passwords.
Sid, I did what you mentioned but I still got the same error
The first technique is to login by password. ...
It took a reboot to get it to work. (Just in case anyone else wants this insecure method to work) The public key method is a major pain to make it work with remote desktop apps