Adding an SSH user
Table of Contents
Adding a SSH user is performed via SSH. Log into your acc
server and switch user to root
su -l root
/microcloud/scripts_ro/create_ssh_user.sh -h
There are a number of options that can be supplied to create a SSH user
create_ssh_user.sh Usage:
create_ssh_user.sh [-r] [username]
username Username (eg. media_user)
-r Remove user
-w Do not share ID with www-data
The -w
feature is a powerful flag that dictates how the new user account will behave. For the simple purpose of adding new users, where per-user security is not of paramount concern (ie. the individual SSH accounts exist solely to provide individual environments), users should be created without the -w
option.
If security is not the reason for a new account then the -w
flag should be omitted. This will create a new user with the same ID as www-data
. It will ensure a consistent problem-free file/directory ownership whilst giving independence to users.
If security is the reason for a new account then the -w
flag should be provided. This will create a new user with a different ID to that of the www-data
user. The user will still belong to the www-data
group, and through the native use of a sticky group bit, new files/directories created in any document root will still posses that of the www-data
group (thus reducing the potential for file/directory permission issues). This option is recommended for advanced users only that fully understand the impact it will have on file permissions and management.
Examples
Full access
To create a user with access to all domain groups/vhosts.
Create user
To create a user called example
/microcloud/scripts_ro/create_ssh_user.sh example
Remove user
To remove a user called example
/microcloud/scripts_ro/create_ssh_user.sh -r example
! SSH users can be added using conventional tools such as adduser
or useradd
, but in order to preserve the correct permissions on MageStack, inexperienced users are recommended to use the script provided.
Restricted access
To create a user with access to a specific domain-group only
Create user
To create a user where the name matches that of the domain group
Eg. For the domain group example
/microcloud/scripts_ro/create_ssh_user.sh example
Then, as root
, edit /etc/ssh/sshd_config
and append the following to the end of the file,
Match User example #example#
ChrootDirectory /microcloud/domains/example/ #example#
AllowTCPForwarding no #example#
X11Forwarding no #example#
Then reload SSH,
/etc/init.d/ssh reload
Remove user
To remove the user example
/microcloud/scripts_ro/create_ssh_user.sh -r example
sed -i '/#example#/d' /etc/ssh/sshd_config
/etc/init.d/ssh reload