Transcript from the "Create a User" Lesson
>> Okay, here we are, we're now up to date. We're feeling good. There's no label up here that says you need to reboot your computer. The next thing we're gonna do is we need to create a new user, because right now, we're running as root. And the way you can tell you're running as root is, well, it says root here, clear this.
[00:00:28] So it says root, but the other way you can always tell you're running root is there's an octothorpe right here or a hash sign, whatever you wanna call it. That's a surefire way of you're running as root. We don't wanna run as root. Root does not double-check anything we do.
[00:00:45] Root it's like, okay, you know what you're doing. Root is the highest permission level on an operating system. It allows you to do anything and everything. You wanna rm-rf/, as in delete your directory, it'll let you do that and will not stop you. So we never wanna run things as root.
[00:01:05] If something does require root, that usually means, hey, let's put some thought into it. So the first thing we do after we update our software, we're gonna create a new user. A user that's not root, but has root access. We call root access super user. Usually, and we run the sudo command to say, I'm gonna do this as root for this particular command.
[00:01:29] Sudo stands for super user do. It allows you to run the commands and programs as root. So it allows you to run as root as necessary, but our default is never ever, ever to run as root, ever, ever, ever. It's tempting, cuz you're like I hate sudoing all the time.
[00:01:43] It's such a pain, but it's there for a reason. These are well-trodden paths, so keep it the permissions as minimal as possible do you need to run the programs. So next, we're gonna create a new user, because we don't wanna run as root. So we're gonna create a new user, we're gonna add that user to the pseudo group.
[00:02:02] We're gonna switch that user, and then we're gonna check pseudo-access just to double-check that our user is actually working. Yea, so if you did sync or if you did transfer your names servers over to DigitalOcean, and they still haven't propagated out, it just gonna take a while, that's how it goes.
>> Yeah, [INAUDIBLE].
>> But it can take a few hours, it can take a few seconds. It really varies on the internet, but that's kinda all I can say. That's why we do it pretty early in the class rather than a little bit later. So you probably ran into some interesting things creating a new user, some weird prompts, so let's walk through them.
[00:02:47] So we don't wanna do things as root, very, very dangerous, never do things as root. If you have in the past, you got lucky. [LAUGH] But again, not doing things as root will save you a lot of trouble and pain. So I wanna create a new user. So I'm gonna say adduser, and let's call it jem to keep it simple.
[00:03:05] Give it a password, I keep mine pretty simple here too. For all these values, feel free to fill them in if you want. I'm just gonna hit defaults, information's correct, cool. No, no worries there, you can put room number if you want. I'm not really gonna change anything, I think it's just an artifact of Linux.
[00:03:26] Next thing wanna do is we wanna make sure I can do stuff as root as jem, but only when I want to. So we're gonna add the user Jem to the user sudo group. So to do that, we're gonna use the usermod command. So user modify, so usermod, we're gonna say add -a to the group, capital G to the sudo errs group, super users do, jem.
[00:03:55] Awesome, next thing we're gonna do is we're gonna switch over to jem user. So when I say su, switch user jem. All right, and I'm still in the root, so I can go home if I want, you don't need to. And look, I have my own directory and everything once I create a user.
[00:04:13] So every time you create a user, it creates another directory under slash home slash whomever. Now, we wanna check our sudo access. To do that, there's a lot of ways of doing it, but I like to access the auth log. These are things you normally can't access as a regular user, you can only do as roots.
[00:04:29] So just double-check, we have access. So I'm gonna say sudo cat, remember that dumps the whole file. /var, log and we wanna look at the auth.log. It's gonna ask me for the password, and there we go. So we've confirmed that this user has sudo access. We confirmed that it all works and we have this new user, great.
[00:04:56] So the next thing we wanna do is we wanna disable the root access. We definitely, definitely don't wanna have root open to the public, cuz that's the number one thing. Or let's say, not so good actors want to do is they wanna log in as root. Because, again, once you have root, you can do literally anything.
[00:05:17] There's unrestricted access to the system. But to do that, we're gonna need to create a new way for our user we just created to log in to our system. So in our home directory, we wanna create an authorized key file. And authorized keys is where our public key is gonna sit.
[00:05:34] So that means whenever we log in as now user is gonna check to the public key. And then it's gonna authenticate against my private key, that's gonna allow me to log in as a different user entirely. There's a lot of different ways of doing this. This is probably the most simple way, so let's do that together.
[00:05:50] So I'm gonna switch to my home directory, it's clear. So let's create this directory if it doesn't exist, ls-la. I don't see a.ssh directory, so let's make one, mkdir.ssh. Now, we can cd into that, and we're gonna create an authorized key file. So there's different ways of doing this.
[00:06:19] We'll just touch it for now, Rather than vi, because we don't have the key yet. That way we can switch over to a new terminal without having to exit out authorized keys. Sure I spell that right? ls, okay. So the next thing we need to do is we need to put our public key into the authorized key file.
[00:06:50] So there's different ways of doing this. I'm gonna do this the long way, that's probably the way you're at. You're also welcome to open up a new terminal, get your public key and paste it back in, but I'm gonna do this the longer way. So I'm gonna exit.
[00:07:03] And notice, I didn't exit the server, because I actually just created a new shell whenever I switch user. I just created a new shell with that new user. So when I exit, I'm just jumping back to the shell I logged in originally, so I need to exit again.
[00:07:16] Next, I wanna cat that public key. So that's those full stack, front end, pub, and I'm just gonna copy this. There is a command to just do this all at once and I used to teach that, but it's so long and so verbose. It's not really saying anything.
[00:07:37] This is probably more of the default way. You usually don't exit the server and paste things back in, but it's okay for the course's class. So now that I have my key, I'm just gonna log back in as root, cuz we're still don't have the login for jem, my new user yet.
[00:07:51] Let's switch back over to jem just, because I don't like being roots. cd, and then we're gonna edit that authorized key file. Ssh authorized keys, I'm gonna insert. I'm just gonna paste that in, and then I'm gonna right quit. All right, so now, let's test it out. Let's see if it worked.
[00:08:13] So we're gonna exit, we're gonna exit again. So this time, I'm gonna ssh, but I'm gonna use my new user instead of roots. Let's see if this worked. Hey, there we go, not bad, not bad at all. And if that didn't work, one double-check you created, you spelled authorized keys correctly, it's kind of a longer file name.
[00:08:44] Double-check, you copy and pasted your public key and not your private one. You'll notice it's the private one, cuz the private one is substantially longer than your public one. And then make sure you exit in, and make sure you're trying to log in with your new username at your IP address.
>> I guess it's kinda obvious here, but the ssh key, you can even have it associated with as many users as you want on the server. It's purely that you're connecting from this my laptop. It's giving me access to the server with whatever user I want as long as I've added the public key to the user on the server.
>> Yeah, exactly right. The question was, aren't ssh keys tied to users or your computer? They're mostly tied to your computer. You can use one ssh key to do everything. Use the same one for GitHub, use the same one for your computer, use the same one for anything, totally up to you.
[00:09:49] I'm not against that, ssh is usually pretty secure. I don't think you need an ssh key for every single instance, but it's up to you. You can make it complex, you can make it simple. But in general, it's usually a pretty safe way of doing things.