[ec2] Connecting as non Ubuntu User
Scott Moser
scott.moser at canonical.com
Wed Aug 26 15:35:52 BST 2009
On Wed, 26 Aug 2009, Rolo M wrote:
> I've launched an instance (Hardy) and I can connect fine via SSH using
> ubuntu@<hostname>. I've created two other users, one for django, to
> run my apps, and one for my username, kolo.
>
> Would it be considered the best way of doing things to continue to
> connect via the ubuntu user, and then su to my kolo user account? I
I'm not a security expert. I could be way off base here. It would seem
to me that you want as few "external facing" accounts (those that can be
connected to as ssh), and want those accounts to be reached in the fewest
ways possible.
The system is configured with PasswordAuthentication in /etc/sshd to 'no'.
Thus, the only way in is via ssh key.
I added a user 'kolo' and verified I could ssh in with the same key
registered to the ubuntu user. I created by doing the following as
'ubuntu':
sudo adduser --disabled-password --ingroup admin --gecos "kolo,,," kolo
cd $HOME && tar -cpf - .ssh | sudo -u kolo -i -- tar -xvf -
One common gotcha for failed ssh logins is .ssh directory or
.ssh/authorized_keys permissions. The above makes sure they're consistent
with the 'ubuntu' user, and populates that key also.
I then allowed 'kolo' to be able to do passwordless 'su' via:
printf "kolo\tALL=(ALL) NOPASSWD:ALL\n" | sudo tee -a /etc/sudoers
That is less secure than using 'ALL:ALL' rather than 'NOPASSWD:ALL', but
needed if you need password-less sudo.
I did the above on the karmic alpha, but it "should work" on the hardy
image as well.
> Presuming I'm best to be connecting via my own account, I've put my
> SSH key in ~/.ssh/authorized_keys for both the ubuntu user and my own
> user, and infact I can connect with the ubuntu user and authoize with
> my key now, but when I try and user my account I get Permission denied
> (publickey). (ssh output with -v is pasted below).
In general, to debug this you need the information from the other side.
The ssh server is not going to tell the user exactly why they can't log
in, as that is disclosing more information than need be.
> What am I missing? Also, if I su to another user I lose the terminal
> colours. I presume this is because it's not setting the shell
> correctly? All of my user's shells are set to /bin/bash, is there
> some other setting I'm missing? Will my ~/.bash* files get processed
> when I su?
In general, try using 'sudo' rather than 'su'. Its nicer with shells and
such. 'sudo -i' will get the login files processed.
>
> Thanks loads for any assistance! Sorry if it's a bit of a ramble. Cheers.
More information about the Ubuntu-ec2
mailing list