Creating an SSH-Enabled User on an Oracle Cloud Infrastructure Compute Classic Oracle Linux Instance

Before You Begin

Purpose

This tutorial shows you how to create an SSH-enabled user on a Compute Classic Oracle Linux instance and grant sudo privileges to the new user.

Time to Complete

15 minutes

Background

When you create a Compute Classic instance using an Oracle-provided Oracle Linux image, a user named opc is created automatically. You can use ssh to log in to your instance as the opc user, using the SSH private key that corresponds to the SSH public key that you specified while creating the instance. After you have logged in to your instance as the opc user, you can create additional SSH-enabled users on your Compute Classic instance.

Note: When a Compute Classic instance that is set up to boot from a nonpersistent boot disk is stopped and re-created, any OS-level changes you may have made before the instance was stopped, including user creation, are lost.

What Do You Need?

You must know the public IP address of the Compute Classic instance on which you want to create new users. In this tutorial, we assume that the public IP address of your instance is 203.0.113.5

Generating an SSH Key Pair

On a local machine (not the Compute Classic instance), generate an SSH key pair for use by the new user, as shown in the following example.

When you are prompted for a file name, enter a file name of your choice. When you are prompted for a passphrase, press Enter to proceed without a passphrase.

$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/joe/.ssh/id_rsa): /home/joe/.ssh/myadmin
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/joe/.ssh/myadmin.
Your public key has been saved in /home/joe/.ssh/myadmin.pub.
The key fingerprint is:
e1:e0:f7:31:83:96:a5:8d:f6:f7:9c:1d:cb:2d:3e:7f joe@abc01234
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|                 |
|      . . .      |
|     . o O       |
|      . S =      |
|       + o +     |
|          o .  . |
|           . o+oE|
|             .=*=|
+-----------------+

In this example, the private key is stored in /home/joe/.ssh/myadmin, and the public key is stored in /home/joe/.ssh/myadmin.pub.

Copy the public key value to a text file. You'll need this value later in this tutorial.

$ cat /home/joe/.ssh/myadmin.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuOb4NO1l6QckeVgk/8ZdJc8UkfYYK/8CiAewxZdMRkuTMmjmmgr21ulRd4MompURb+Xw/cVOlK2eaBJRL9TXzG2Mf5gj8lyeve2GoIhiFXrV6bU9DlVSrf+y3BqNMixsF1/aSizP2PHmnECZyWdIKi5KdvNtyVE6f5Ul/286yJf3LCNP+bKLHv6uL8KwhArlz8cfv1OGYpzVW6e7Ja824RdHRTXOuh7JAR/1tGtd9lbZW/qqClyJlSbWVOh46l/2DdqoWQx6L7qzW3AzWVnTniFY4T8W06qT9pNbE08ygyCPVRfu8ZlBmRihFYRxdX4wm1P5qWj7RVhfmpq/AFrEyQ== joe@abc01234

Creating a User and Enabling SSH Access for the User

Use ssh to connect as the opc user to the Compute Classic instance on which you want to create a new user.

In the ssh command, use the -i option to provide the private key that corresponds to the public key that you specified while creating the Compute Classic instance.

Example:
```
$ ssh -i ~/.ssh/occs opc@203.0.113.5
```
If this is the first time you're logging in to the instance, a message similar to the following is displayed:
```
The authenticity of host '203.0.113.5 (203.0.113.5)' can't be established.
RSA key fingerprint is 95:65:90:6f:10:0d:ff:d8:f1:cb:d0:21:d3:30:2e:b3.
Are you sure you want to continue connecting (yes/no)?
```
At the prompt, enter yes to proceed.

The following message is displayed:
```
Warning: Permanently added '203.0.113.5' (RSA) to the list of known hosts.
Authorized uses only. All activity may be monitored and reported.
```
To add users, you must be the root user. Enter the following command:
```
[opc@joedb ~]$ sudo su
```
Create a user, say myadmin.
```
[root@joedb opc]# useradd myadmin
```
Create a .ssh directory in the new user's home directory.
```
[root@joedb opc]# mkdir /home/myadmin/.ssh
```

Copy the public key value that you noted in step 2 of Generating an SSH Key Pair to the /home/myadmin/.ssh/authorized_keys file on the Compute Classic instance.

[root@joedb opc]# echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA0ibAEmysI4o1zfb4dOJIyaN67pya8AnOozVewilpv560jiagTzwrPG8bmK4GL3KEUc3lxZ/Xhj7RvdOD0qMAx0fFB3r80ZSy1KlkIXwKumUY+YBMyn1xdMluWS/J4JWKBpuoOMNTGy7QdCPIHrt07OnwSxvZsoyTsh9QZ/eJv4qR0YaFkAHyH9Si2hTC/6G6CZdXkw93LyEtW1ykxxkSJB6JYwB8FsBMcXPvYJ5CiR30fKqo6GP+WTz1xbTbahLLO31mx/qSDntcXEYgfpw7Abi8W6LSkExFOxrsKir8QqZregznVeWPiht9kf4PT9C3WOoDzA0aF1q+g1CJ1EhZow== joe@abc01234" > /home/myadmin/.ssh/authorized_keys

Verify that the public key was copied successfully to the Compute Classic instance.

[root@joedb opc]# cat /home/myadmin/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA0ibAEmysI4o1zfb4dOJIyaN67pya8AnOozVewilpv560jiagTzwrPG8bmK4GL3KEUc3lxZ/Xhj7RvdOD0qMAx0fFB3r80ZSy1KlkIXwKumUY+YBMyn1xdMluWS/J4JWKBpuoOMNTGy7QdCPIHrt07OnwSxvZsoyTsh9QZ/eJv4qR0YaFkAHyH9Si2hTC/6G6CZdXkw93LyEtW1ykxxkSJB6JYwB8FsBMcXPvYJ5CiR30fKqo6GP+WTz1xbTbahLLO31mx/qSDntcXEYgfpw7Abi8W6LSkExFOxrsKir8QqZregznVeWPiht9kf4PT9C3WOoDzA0aF1q+g1CJ1EhZow== joe@abc01234

To enable SSH access for the new user, edit the AllowUsers parameter in the /etc/ssh/sshd_config file by using vi or any other text editor.

The default AllowUsers setting in /etc/ssh/sshd_config is:
```
AllowUsers oracle opc
```
Change the AllowUsers setting as shown below:
```
AllowUsers oracle opc myadmin
```
Change (recursively) the owner and the group of the /home/myadmin/.ssh directory from root to the new user, myadmin.
```
[root@joedb opc]# chown -R myadmin:myadmin /home/myadmin/.ssh 
```

Restart the sshd service.

[root@joedb opc]# /sbin/service sshd restart
Stopping sshd:                                             [  OK  ]
Starting sshd:                                             [  OK  ]

Enabling `sudo` Privileges for the New User

To enable sudo privileges for the new user, edit the /etc/sudoers file by using the visudo command:
```
sudo visudo -f /etc/sudoers
```
Note: This step must be done by the root user or by any other user who has sudo privileges. On instances creating using Oracle-provided Oracle Linux images, the opc user has sudo privileges.

In /etc/sudoers, look for the following line:
```
%opc    ALL=(ALL)       NOPASSWD: ALL 
```
Add the following line right after the above line:
```
%myadmin   ALL=(ALL)       NOPASSWD: ALL
```
Here, myadmin is the autocreated group to which the new myadmin user belongs.
Exit the root user session and exit from the Compute Classic instance.

You can now use ssh to log in to the Compute Classic instance as the myadmin user, by using the private key that you generated in step 1 of Generating an SSH Key Pair.

$ ssh -i /path/to/private/key myadmin@203.0.113.5
Authorized uses only. All activity may be monitored and reported.
[myadmin@joedb ~]$

Note: When a Compute Classic instance that is set up to boot from a nonpersistent boot disk is stopped and re-created, any OS-level changes you've made, including user creation, are lost.

Want to Learn More?

Reserving a Public IP Address in Using Oracle Cloud Infrastructure Compute Classic
Attaching an IP Reservation to an Instance in Using Oracle Cloud Infrastructure Compute Classic
Creating a Bootable Storage Volume in Using Oracle Cloud Infrastructure Compute Classic

Credits

Lead Curriculum Developer: Kumar Dhanagopal
Other Contributors: Octave Orgeron, Vimal Patel, Anamika Mukherjee