I will show you how to organise groups and users in CentOS.
As an example we will create account for user named
developer. The purpose of this account is:
- logging via SSH instead of using root account
- access to sudo command for management tasks
- write access to website files
- read access to logs
Create list with available groups
If you are on fresh system it's handy to create a list with all available groups. It's also handy to check which users belongs to that groups. It might be helpful after some time when you need to decide if given group was at the beginning or can it be safely removed.
getent command can help you with that.
getent group > /etc/initial-group-list cat /etc/initial-group-list
Remove group from the system
If you need to remove group from CentOS simply use following command:
sudo groupdel NAME_OF_THE_GROUP_TO_DELETE
Create new group
In order to create group you need to use groupadd command:
sudo groupadd NAME_OF_THE_NEW_GROUP
I usually add group named
www-data, whatever works for you). To this group I add php daemons, nginx workers etc. It makes life easier with writing to files. In order to create such group execute following command:
sudo groupadd www
Create list with available users
Same like with group, I like to have list of initial users. In order to create such list you can use
getent passwd > /etc/initial-users-list cat /etc/initial-users-list
Delete user from CentOS
In case you would like to remove any user from the system, use following command:
sudo userdel -r USERNAME_TO_REMOVE
-r flag will remove also his home directory. If you wish to delete the user, but to keep his files, omit this flag.
Create new user in CentOS
Let's create new user
developer that we mentioned at the beginning:
sudo adduser developer
and create the password for his account:
sudo passwd developer
If you want to add developer user to www group created before use usermod command:
sudo usermod -g www developer
If you want to add this user sudo powers (and you should if you want to use this user instead of root), add it to
wheel group is special group in CentOS configured in sudoers file. Whoever belongs to this group can have sudo powers.
sudo usermod -g wheel developer
Optional parameters to useradd command
There are lot of additional parameters for
useradd command but there are two especially useful.
First one is helpful when you don't want to create user home directory. It means that user will not have it's own place under
/home directory to store it's files. This option is helpful when you are creating user for system service like Apache httpd for instance. So in order to create user with no home directory use
sudo useradd httpd --no-create-home
Another useful feature is to specify shell of given user. It's nice if you want to cut of possibility to login to the system via SSH for instance. Add
--shell /sbin/nologin to disable login for given user, like so:
sudo useradd httpd --shell /sbin/nologin --no-create-home
You can use
--no-create-home parameters separately:)
How to setup SSH keys for new created user?
Each user should have RSA key-pair. It makes life easier and you should use it if you want to login to different servers, use GIT etc. In order to create such user key-pair you first need to login to user you created. Most probably you are using root account to execute all commands, but you should never ever login via SSH as a root.
It's much better to create separate user for system management and use only this account. Login via SSH to your server to account your created. In my case it's developer user so my command looks like this:
Once you'll be logged in (after providing the password), you can create RSA key pair. Execute following command:
ssh-keygen -t rsa -b 4096
-t rsa means that it will be RSA key, but this is standard for creating SSH keys. Fun part is with strength of the key
-b 4096. By default it's 1024 bits, but to make it harder to break I usually provides 4096. It's not necessary, but you should do that. Some services requires key length to be minimum 2048, but it's better to create even longer one.
Generator will ask you some questions, but you should generally confirm them with enter and leave the defaults. When it comes to SSH on the server, I usually don't set the password. It makes life easier in automated scripts etc.
After that private and public key should be generated as expected. You can find them in
Add authorized key to user
In order to login with SSH keys to the server, instead of using password you need to add authorized key to developer user. In my opinion it's must have feature as using password login is super risky. Again, been there, done that, I was hacked, even when my password was strong. With SSH logging even strongest bruteforce attack will fail:)
You need to add your key to
~/.ssh/authorized_keys on the server. If You have
ssh-copy-id command available just execute:
Make sure that you are executing this command from your computer, not from the server. If you don't have SSH key created locally, you can generate it in the same way as on the server, by using
If uou don't have
ssh-copy-id available (for instance from Windows), you can do it manually.
ssh developer@IP_OF_YOUR_SERVER cd ~/.ssh vi authorized_keys //Press "i" to enter in input mode, paste there your code (usually it's right click of the mouse) and :wq (colon, w, q) it will save and quit from vi chmod 600 authorized_keys
So here how it goes:
- ssh to the server as usual with password.
- Change location to
- Paste there your local public key, save the file and quit
- Set permissions on
Test ssh login with keys
Now You can try to log in with Your key.
ssh developer@IP_OF_YOUR_SERVER -i path/to/your/PRIVATE/key/file
You shouldn't be prompted for your account password!
If you don't want to spend your precious time executing each of these commands by hand, you can use Ansible and our LAMP on steroids project to speed things up!
If you don't know what Ansible is - you can read our tutorial about it here.
LAMP on steroids project is available on GitHub here.