What is it

A server (and to some extent a computer) is usually shared between several people. But how could we do that?

One solution to allow several people access to a server is sharing the same credentials. But this comes with many issues:

• Everyone can modify the files of others
• Everyone can see the files of everyone, for example, an employee could look at files from HR and get the address of all the employees
• Generally, everyone can do everything, like shutting down the server or destroying the databases. And no one would know who did it at it would have been root.

The solution offered by Linux is the users.
That way every person who needs to access the server corresponds to a user. Each user has their username, password, and several other information.

The default user on a computer is root. This user is the main administrator, it can perform everything on the computer, even erase the hard drive (rm -rf /).
For security reasons, this user should never be used as the main user.
That is why we are going to see how to create a user.

How to create a normal user

Creating a user depends on the distribution of Linux you are using

Ubuntu

Ubuntu provides an easy-to-use tool to create a user, adduser.

To create the user test the command is the following.

sudo adduser test

You will then be prompted several questions to answer.

• The password, you have to choose a password.
  It cannot be an empty password.
  You can generate a random password using pwgen. We will cover more about passwords in another tutorial.
• The full name of the user: it can be empty.
  But is useful to easily differentiate between users.
• The room number of the user: it can be empty
• The work phone of the user: it can be empty
• The home phone of the user: it can be empty
• Other information about the user: it can be empty

Option for normal user

Several options can be used when creating a user.
Here is a short sample:

• --disabled-login
  Do not set the password. It will prevent the user from being able to log in before a password is set for the user.
• --disabled-password
  Similar to the previous one, but still allows connection without a password, for example, SSH with keys.
• --home <dir>
  Specify the home directory of the user. If not specified the default one is created, usually /home/<username>
• --no-create-home
  Do not create the home directory. Useful for users who can log in but will never save data on the server.
• --shell <bin>
  Specify the default shell of the user.

System User

The file /etc/passwd contains the list of all users on the server.
And if you look at yours you will see many more than just the one you created. Why would you ask?
They are system users.

Many software needs to run tasks in the background that are not run by a specific person. For example, your web server needs to serve the requests but each request does not necessarily correspond to one of the employees. So with which user should the software run?

The Linux solution was to create what is called system users. They are users who do not correspond to real people but rather to a specific software or service.
For example, the system user for your web server is usually called www-data.

As these system users do not correspond to real people, they do not have personal information or a home directory. Usually, they can not even log in.

Creating a system user can sometimes be useful for example for crontab or other things. This is done with the option --system, like the following command.

sudo adduser --system test

Groups

What is it

We saw in the previous section that we can manage the right on a user basis.
But do we need to configure the right for all the members of a team or how can several people share the ownership of files?

To do so, Linux uses what is called groups. This way we can share rights across several users without configuring every user separately.

A user always has a main group, usually named after him, and additional groups.

While the names of standard groups can vary, here are some of them:

• adm: the group of system administrators
• sudo: the group of users allowed to sudo as root
• docker: the group of users allowed to run docker commands
• wireshark: the group of users allowed to use Wireshark and as such listen to network traffic
• www-data: the default group of the web server, useful for web dev to be able to edit the file of the web server without messing with the right of the web server

Adding a group to a user

Now that we have identified which groups are relevant to add to our users, how do we do it?
We are going to modify them with the command usermod.

For example, to add the sudo group to the test user, we use the following command.

sudo usermode test -aG sudo

Creating a group

Sometimes it can be interesting to create a group, for example, for a specific team, to allow them to share folders.
To do so, we use the command addgroup as in the following.

sudo addgroup <team>

This tutorial is mainly inspired by the man page of adduser and addgroup

Why is it useful

An SSH Key is a means to secure the authentication to an SSH server.
It allows a more robust connection to the server compared to password authentication. We will see in another tutorial how to set up this authentication on a server.

When authenticating to a server with your SSH key, your client will choose a key that is recognized by the server and then ask you the passphrase for this key. This passphrase will be used only by your computer to decipher your private key in order to prove to the server that you are who you say you are.

Example of use:

• SSH Server
  Most SSH servers are configured to accept SSH Keys as a means of connection and many of them only accept this means of connection.
  It is more secure and easier to use for the user. Many operating systems carry an SSH Agent (software that stores unlocked SSH Keys) which prevents having to type every times the passphrase to the key; making the connections look instantaneous without user input
• Git server
  For example, GitHub, GitLab, and GitTea use SSH connection to perform remote actions on Git repositories, such as fetching, pushing, cloning, …
  Using an SSH connection allows easier use of git; you do not need to authenticate every time using your username and your password.

What is it

An SSH Key is composed of two files/keys:

• The private key: it is usually named id_<something>.
  This file is, most of the time, protected by a passphrase, it should never be shared, copied, or moved.
  As its name suggests, it is private, it is the part of the key that proves you own the key. If someone were to acquire this file and break its passphrase it could impersonate you for the service that recognizes this key.
• The Public Key: it is usually named like the private key but ends with a .pub.
  This file can be shared with anyone you want to identify you; for example an SSH server, GitHub, GitLab, …

These files are most of the time stored in a folder name .ssh in your home. For example on Linux, the folder is $HOME/.ssh

How does it work

The working principle of the SSH Key:

1. Your computer will look at available SSH Keys in specific folders, usually .ssh
2. It will propose some keys to the SSH Server
3. If one of the keys is recognized by the server, the server will offer to continue the authentication using this key
4. The server then generates a message, cipher it with the public key, and sends it to you
5. Your client then deciphers it using your private key (that is the moment when it asks for the passphrase) and sends back the deciphered message to the server
6. If the message is the correct one, the server recognizes you as the rightful person and connects you

This works because something ciphered with the public key can only be deciphered using the private key. Using any other method would be too hard. With keys strong enough, the current best computer (and the one in the foreseeable future) would take longer than the age of the Univers to decypher it without the private key.

Creating an SSH Key

In this post, we are going to cover how to create an SSH Key.
This is aimed to be used on Linux but should be working on Windows and MacOS

To create the key, we are going to use the ssh-keygen utility.
It should already be installed on your computer. If this is not the case, you can install it by installing openssh-client or openssh-clients depending on your distribution.

Choosing the key type

Several types of keys are available. The main two are the following.

• RSA Keys: RSA is a rather old protocol (1977) based on the factoring of large prime numbers.¹
  While still being pretty robust, it needs rather big keys to offer satisfactory security.
• ED25519 Keys: ED25519 is a newer protocol (2011) based on EdDSA using elliptic curves.²
  It is faster and requires smaller keys to have the same security as RSA. But being newer, some old systems may not support it.

Some other schemes exist (DSA, ECDSA) but are not relevant here, DSA is obsolete and ECDSA is harder to configure while offering similar security.

Choosing the key length

• RSA Keys: I recommend using a key of 4096 bits, as it is currently the longest available.
  Under 2048 bits the key cannot be considered secure.
  The default length is 3072 bits and is considered sufficient.
• ED25519: These keys have a fixed length (256 bits), so we do not need to choose.

Create the key

Now that we know what to take into account to create a key, we are going to create one.

Using the following command create the default ED25519 key.

ssh-keygen -t ed25519

To create the default RSA key of 4096 bits, we would use the command :

ssh-keygen -t rsa -b 4096

To go further

Adding a comment

By default, the comment of the created key is <username>@<computer>.
You can change this to be anything, for example, a message about the use of the key.

This is done with the option -C:

ssh-keygen -C "Comment"

Specifying the password

By default, you will be prompted to enter the passphrase, but you can specify it directly in the command, using the option -N:

ssh-keygen -N "<passphrase>"

Specifying the file

By default, you will be prompted to set the path and filename to store the key, usually ~/.ssh/id_<type>.
You can change this behavior by specifying the path with the option -f:

ssh-keygen -f "$HOME/.ssh/id_git"

This tutorial is mainly inspired by the man page of ssh-keygen

1. https://en.wikipedia.org/wiki/RSA_(cryptosystem) ︎
2. https://en.wikipedia.org/wiki/EdDSA#Ed25519 ︎