Devops

How to create a deploy user on Ubuntu server and disable password authentication

It is a good practice to avoid using the root user for deployments on production servers. This minipost will guide you through the process of creating a new deploy user and associating development machine’s SSH public key for authentication. This guide is a very good initial Ubuntu server setup for a production server.

To start with, connect to your Ubuntu Server with SSH with root

$ ssh [email protected]<ubuntu-server-ip-address>

Once you are logged in to your server with root, you are ready to create the new deploy user that will be used from now on. To do that, type:

[email protected]:~# adduser deploy

Fill in all the information for user deploy:

Adding user `deploy' ...
Adding new group `deploy' (1000) ...
Adding new user `deploy' (1000) with group `deploy' ...
Creating home directory `/home/deploy' ...
Copying files from `/etc/skel' ...
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully
Changing the user information for deploy
Enter the new value, or press ENTER for the default
	Full Name []: 
	Room Number []: 
	Work Phone []: 
	Home Phone []: 
	Other []: 
Is the information correct? [Y/n] Y

The deploy user is now ready with regular account privileges. However, deploy user will be used for deploying your applications and should belong to the sudoers of the Ubuntu server.

Update deploy user privileges, by:

[email protected]:~# usermod -aG sudo deploy

From now on, deploy has superuser privileges and is part of the sudoers. Now, let’s add public key authentication for deploy user. On your local ubuntu development machine’s console, run:

$ ssh-copy-id [email protected]<ubuntu-server-ip-address>
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.

Your local ubuntu development machine’s public key has been associated with deploy user, and from now on you can be authenticated using this key and not your password.

Test the configuration by:

$ ssh [email protected]<ubuntu-server-ip-address>
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-45-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sat Feb 23 21:06:03 UTC 2019

  System load:  0.0               Processes:           83
  Usage of /:   4.0% of 24.06GB   Users logged in:     0
  Memory usage: 11%               IP address for eth0: 157.230.58.214
  Swap usage:   0%

  Get cloud support with Ubuntu Advantage Cloud Guest:
    http://www.ubuntu.com/business/services/cloud

0 packages can be updated.
0 updates are security updates.


To run a command as administrator (user "root"), use "sudo".
See "man sudo_root" for details.

[email protected]:~$

Success, you can see that you are connected to your Ubuntu server authenticating with your public SSH key only. Next step is to disable password authentication. To do that, run on the server the following:

[email protected]:~$ sudo nano /etc/ssh/sshd_config

Find the line that specifies PasswordAuthentication, if it is commented out, uncomment it, by removing the # in the beginning of the line. Change the value from yes to no. It should look like this after your changes:

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no

Make sure also that PubkeyAuthentication is uncommented and its value is set to yes

PubkeyAuthentication yes

If everything is configured as specified, save and close the file by pressing the following to your keyboard: CTRL-X, then Y and ENTER. One final step is to disable password prompt for deploy user when using the sudo command. In order to do that, on your Ubuntu server, type:

[email protected]:~$ sudo visudo

Add the following at the end of the file:

# Deploy
deploy ALL=(ALL) NOPASSWD:ALL

Again save and close the file by CTRL-X, then Y and ENTER. Finally, lets try the configuration. Logout from the Ubuntu server by:

[email protected]:~$ exit

And connect with ssh:

$ ssh [email protected]<ubuntu-server-ip-address>

Try a sudo command to check the password prompt. As you can see, there was no password prompt and you have successfully connected via SSH to your production Ubuntu server.

Additional information:

Read also the following