Adding an SSH user

Adding a SSH user is performed via SSH. Log into your acc server and switch user to root

su -l root
/microcloud/scripts_ro/create_ssh_user.sh -h

There are a number of options that can be supplied to create a SSH user

create_ssh_user.sh Usage:

create_ssh_user.sh [-r] [username]

  username       Username (eg. media_user)

  -r             Remove user
  -w             Do not share ID with www-data

The -w feature is a powerful flag that dictates how the new user account will behave. For the simple purpose of adding new users, where per-user security is not of paramount concern (ie. the individual SSH accounts exist solely to provide individual environments), users should be created without the -w option.

If security is not the reason for a new account then the -w flag should be omitted. This will create a new user with the same ID as www-data. It will ensure a consistent problem-free file/directory ownership whilst giving independence to users.

If security is the reason for a new account then the -w flag should be provided. This will create a new user with a different ID to that of the www-data user. The user will still belong to the www-data group, and through the native use of a sticky group bit, new files/directories created in any document root will still posses that of the www-data group (thus reducing the potential for file/directory permission issues). This option is recommended for advanced users only that fully understand the impact it will have on file permissions and management.

Examples

Full access

To create a user with access to all domain groups/vhosts.

Create user

To create a user called example

/microcloud/scripts_ro/create_ssh_user.sh example

Remove user

To remove a user called example

/microcloud/scripts_ro/create_ssh_user.sh -r example

! SSH users can be added using conventional tools such as adduser or useradd, but in order to preserve the correct permissions on MageStack, inexperienced users are recommended to use the script provided.

Restricted access

To create a user with access to a specific domain-group only

Create user

To create a user where the name matches that of the domain group

Eg. For the domain group example

/microcloud/scripts_ro/create_ssh_user.sh example

Then, as root, edit /etc/ssh/sshd_config and append the following to the end of the file,

Match User example #example#
    ChrootDirectory /microcloud/domains/example/ #example#
    AllowTCPForwarding no #example#
    X11Forwarding no #example#

Then reload SSH,

/etc/init.d/ssh reload

Remove user

To remove the user example

/microcloud/scripts_ro/create_ssh_user.sh -r example
sed -i '/#example#/d' /etc/ssh/sshd_config
/etc/init.d/ssh reload