Server users on a VPS

[Darkrai]

I have a VPS running debian access via ssh. Following a guide i set up a user via "adduser --disabled-login username" which from my understanding is so that the user is separate from root and cant be logged into but root should be able to sidestep this via su username but this throws an "This account is currently not available." error. From more research it seems that accounts in "/sbin/nologin" are not intended for shell use? and while you can circumvent/change this it is not a good idea/recommended? Maybe I'm misunderstanding something but my goal is to setup a subuser to run a server client with the bare-minimum of privileges required that in itself is only accessible for and from the root user.
Also I have a root password for which ssh login is possible but i want to disable that so the ssh key is the only thing that can authenticate the login is adding/changing the line "PasswordAuthentication no" to sshd_config the right thing to do or is it something else or requires additional steps?

[whispous]

1 hour ago, Darkrai said:

adduser --disabled-login username

Surely this creates a disabled account? That's what a few minutes rooting around on google says this does. the account is disabled.

This isn't an area of expertise, but maybe someone can confirm, but surely to not allow a user access to things requiring root, you simply elect not to add them to the su file?

[The Sergal Dude]

Linux isn't my area of expertise, I'm more a windows guy, but a google search revealed:

Quote

"adduser --disabled-login" sets the user’s shell to /usr/sbin/nologin, so even root can’t su into it. That’s expected behavior. These users are meant as service accounts, not interactive shells. 

If the goal is least privileges for running a service, this is actually the correct setup run commands as that user with sudo -u username or via systemd (User=username).

Only give the user a real shell if you explicitly need interactive access.

For SSH: yes, set "PasswordAuthentication no" (after confirming key auth works, othewise you'd get locked out) and use "PermitRootLogin prohibit-password" so root can only log in via SSH keys. (but this is a bit overkill in my opinion, if you don't port forward the ssh port to the internet, you have nothing to worry about)

I googled all this so take my word with a pinch of salt, make backups before you do any meaningful changes. And I personally don't recommend using the root user for anything unless stricly necesary, give your normal user sudo privileges and use that instead. It's more secure. I would disable password login for the root user entirely. 

[Eigenvektor]

1 hour ago, whispous said:

Surely this creates a disabled account? That's what a few minutes rooting around on google says this does. the account is disabled.

It's an account that can't sign in interactively, which is what you want for a service account for security reasons. No need for someone to be able to sign in as this user through a terminal.

 

2 hours ago, Darkrai said:

Also I have a root password for which ssh login is possible but i want to disable that so the ssh key is the only thing that can authenticate the login is adding/changing the line "PasswordAuthentication no" to sshd_config the right thing to do or is it something else or requires additional steps?

My general go to is

PasswordAuthentication no
PermitRootLogin no

This way you can only sign in through SSH with a non-root user using key based auth. Which means to become root you first have to sign in as a regular user using a key, then authenticate as root on top of that to be able to do any administrative task.

 

For additional security you can also limit which users are allowed to become root (or use sudo)

 

1 hour ago, The Sergal Dude said:

(but this is a bit overkill in my opinion, if you don't port forward the ssh port to the internet, you have nothing to worry about)

If you want to remotely manage a VPS, SSH needs to be reachable over the internet. SSH is explicitly designed for that. Though for additional security, you can (or rather should) always hide it behind a VPN.

 

If you don't want to set up a VPN, moving SSH to a different port will also greatly cut down on the number of bogus sign-in attempts you get. Just be aware that it doesn't improve security as such. You still want a strong key, no password based auth and prevent root from logging in directly.

[AtomicGlargh]

Run the following to get a shell if the user has "nologin" (replace USERNAME):

sudo -s -u USERNAME

 

The above will ignore the user's shell set in passwd.

[The Sergal Dude]

2 hours ago, Eigenvektor said:

If you want to remotely manage a VPS, SSH needs to be reachable over the internet. SSH is explicitly designed for that.

If the VPS has a user control panel that lets you open a terminal session, I'd just use that. But that's my huble opinion as a mere windows admin. I've learned my lesson by opening RDP ports and getting my windows install ransomed. I'm sure SSH is way more secure than RDP tho. 

[Crunchy Dragon]

2 hours ago, Eigenvektor said:

If you don't want to set up a VPN, moving SSH to a different port will also greatly cut down on the number of bogus sign-in attempts you get. Just be aware that it doesn't improve security as such. You still want a strong key, no password based auth and prevent root from logging in directly.

100% agreed.

 

Granted, in the age of Tailscale, it's hard(for me) to imagine building a real case against setting up a VPN. Not having to open a single port while maintaining access to my entire network remotely has been a godsend for me.

[ieleja]

5 hours ago, Darkrai said:

set up a user via "adduser --disabled-login username"

one reason for doing so, is creating mail users, who can login to get mail, but not get ssh access

 

but all login I do with key and also ssh is enabled (nftables) to only one IP address

[Eigenvektor]

31 minutes ago, The Sergal Dude said:

If the VPS has a user control panel that lets you open a terminal session, I'd just use that. But that's my huble opinion as a mere windows admin. I've learned my lesson by opening RDP ports and getting my windows install ransomed. I'm sure SSH is way more secure than RDP tho. 

SSH (Secure Shell) is explicitly designed for use over insecure networks, unlike RDP, which was always intended for local networks.

 

It's way more convenient than using a shell over a web interface. You lose out on the ability to transfer files or port forward if you do that. But as I said, you can hide it behind a VPN as an extra layer of security.

[Darkrai]

4 hours ago, Eigenvektor said:

PasswordAuthentication no
PermitRootLogin no

If I were to do this I would need to create a new user with a new ssh key and then when logged in with that user I could somehow use the existing root ssh key to jump into it?

 

4 hours ago, Eigenvektor said:

moving SSH to a different port will also greatly cut down on the number of bogus sign-in attempts you get.

sounds sensible i wander whether something like Fail2Ban is also a good idea or whether this redundant if password login is disabled

 

2 hours ago, AtomicGlargh said:

sudo -s -u USERNAME

This launches a shell for that user which I would then be able to su into? When would that shell terminate? On shutdown?
 

49 minutes ago, Eigenvektor said:

It's way more convenient than using a shell over a web interface.

If I use the web terminal I would need to have the password for root as (I at least have not seen a way to make it use the ssh key) and as non qwerty user I'll have a stroke as it interprets inputs as qwerty. That's why I want to use standard ssh from my own terminal.

I am the only one who would ssh into the vps but I'd like to run an internet accessible server client or two on it which is why I thought doing this extra user route for the individual client would be sensible to separate everything and as I'm the only one stepping over root every time didn't seem to be a problem to me. If I can make it work sudo -s -u USERNAME then this should be fine. I'll try it once I am at my PC with the sshkeys again. And I'll probably move the ssh port cuz why not. Since I can control the firewall via the vps' webinterface would just closing the ssh port while i don't intend to log in be a good idea or just unnecessary hassle with little benefit.

 

But thanks for all the replies!!

[AtomicGlargh]

You can use screen to run the shell in the background (most distros should have this in their package collections):

screen -S bob //Makes a new detached screen session called bob. It will keep running even if SSH disconnects. To detach press CTR + A + D  . To quit CTR + D

screen -rd bob //can be used to connect to the detached shell named bob

 

You can then use sudo on the attached shell above to keep running your client.

 

If what you are doing isn't interactive, I'd make a systemd service instead.

[Eigenvektor]

39 minutes ago, Darkrai said:

If I were to do this I would need to create a new user with a new ssh key and then when logged in with that user I could somehow use the existing root ssh key to jump into it?

No. You remote into the server using your unprivileged user using this user's SSH key. You then "su" into the root account using a password. It's simply another layer of security. If your private key were ever exposed, the ability to sign in doesn't automatically give the attacker root privileges. And the root password alone does not allow someone to sign in. An attacker would need to gain access to both.

 

39 minutes ago, Darkrai said:

sounds sensible i wander whether something like Fail2Ban is also a good idea or whether this redundant if password login is disabled

The more layers of security, the better. I use both on my server. Though moving to a non-standard port has pretty much rendered f2b redundant. Doesn't hurt to keep it around though, just in case.