Creating users with SSH access only in Linux

If we’re managing a Linux server and looking to enhance its security, a great step we can take is to create user accounts that can only log in using SSH keys, rather than relying on passwords.

This approach helps us protect against brute-force attacks and unauthorized access attempts that target weak or compromised passwords.

In this guide, we'll walk through the steps to create a new user with a home directory, and configure our server to allow login for this user exclusively through SSH key-based authentication.

By doing so, we’ll establish a more secure and reliable access method for our server.

1. Create the User with a Home Directory

Run the following command to create the user general with a home directory:

sudo useradd -m -s /bin/bash <username>

-m: Creates the home directory (/home/general).
-s /bin/bash: Sets /bin/bash as the default login shell for the user.

2. Configure SSH Key-Only Login

To disable password login and allow only SSH key-based access, follow these steps:

1. Lock the user's password to prevent password login:

sudo passwd -l <username>

This command locks the account for password-based login.

2. Set up SSH keys for the user:

• Switch to the new user:

 sudo su - <username>

• Create the .ssh directory in the user's home directory and set the correct permissions:

mkdir -p ~/.ssh
chmod 700 ~/.ssh

• Create or copy the authorized_keys file with the allowed public SSH key and set the correct permissions:

touch ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

• Paste the public SSH key (e.g., id_rsa.pub) into the ~/.ssh/authorized_keys file.

• Exit the general user:
  

exit

3. Verify SSH Configuration

Edit the SSH configuration file to ensure that SSH key authentication is allowed:

sudo nano /etc/ssh/sshd_config

Make sure you have the following settings:

PubkeyAuthentication yes

If the setting is commented #PubkeyAuthentication yes, it will work correctly, as the default value for PubkeyAuthentication is yes

If the PubkeyAuthentication was changed, save the changes and restart the SSH service:

sudo systemctl restart sshd

4. Test SSH Access

Now, try logging in with the new created user via SSH:

ssh <username>@server-ip -i path/to/private/key

You should only be able to log in if you have the private key corresponding to the public key set up in ~/.ssh/authorized_keys.

This completes the setup for the user to authenticate exclusively via SSH key!