Managing users on a cloud server is a routine but essential part of system administration. When working with Oracle Cloud Infrastructure (OCI), there may be times when a user needs to add another person to the instance for development, maintenance, or security audits. Rather than sharing SSH credentials—which is highly discouraged—a more secure approach is to add separate user accounts with their own SSH keys. This article walks through how to add another user via SSH in an Oracle Cloud instance step by step.
TL;DR
To add a new user via SSH on an Oracle Cloud instance, first create the user using the adduser command, set up their SSH directory, then copy their public SSH key to the authorized_keys file. Ensure the correct file permissions are applied and verify that SELinux or firewall settings do not block access. This method ensures that each user has secure, personalized access without compromising the root or main user account.
Understanding the Need for Multiple Users
Creating individual users on an Oracle Cloud instance is beneficial for:
- Security: Limiting each person to their own account enhances traceability and minimizes risk.
- Audit trails: Easily track who made what changes.
- Access management: Quickly enable or disable access by removing specific users without affecting others.
Before diving into commands, ensure that you have:
- SSH access to the instance with sudo privileges.
- The new user’s public SSH key, usually located in their ~/.ssh/id_rsa.pub file.
Step-by-Step Guide to Adding a User via SSH
1. Connect to Your Oracle Cloud Instance
Use SSH to access your instance:
ssh opc@your-instance-public-ipAssuming your primary user is opc or another user with sudo privileges.
2. Create the New User
Run the following command to add a new user (replace newuser with the actual username):
sudo adduser newuserThis creates a new home directory at /home/newuser and sets default permissions.
3. Set Up the SSH Directory
Now, switch to the new user’s home directory and set up their SSH key folder:
sudo mkdir /home/newuser/.ssh
sudo nano /home/newuser/.ssh/authorized_keys
Paste the new user’s public SSH key into the file. After inserting the key, press CTRL+O to save and CTRL+X to exit the editor.
Adjust file ownership and permissions:
sudo chown -R newuser:newuser /home/newuser/.ssh
sudo chmod 700 /home/newuser/.ssh
sudo chmod 600 /home/newuser/.ssh/authorized_keys
4. Verify the New User’s Access
From another terminal (or on the intended user’s machine), try logging in using the private key associated with the public key you just added:
ssh newuser@your-instance-public-ipIf the setup is done correctly, the user should be granted SSH access to the server.
5. Grant Sudo Access (Optional)
If the new user requires administrative privileges, you’ll need to add them to the wheel or sudo group, depending on the Linux distribution used by your Oracle instance.
Run the following command:
sudo usermod -aG sudo newuserFor CentOS or Oracle Linux, the wheel group is often used:
sudo usermod -aG wheel newuserThen, test by having the user run a command like sudo whoami after logging in.
6. Configure SSH Daemon Settings (If Needed)
In some cases, SSHD might be configured to disallow user access beyond a certain group. To ensure your new user is allowed, check the SSH config file:
sudo nano /etc/ssh/sshd_configLook for lines like:
AllowUsers opc newuserAdd the new user if such a line exists. After modification, restart the SSH service:
sudo systemctl restart sshdSecurity Recommendations
- Disable password login: Ensure all user access is SSH-key based to prevent brute-force attacks.
- Use SSH key passphrases: Encourage users to protect their private keys with strong passphrases.
- Rotate keys regularly: Especially for users that access production systems.
- Monitor logins: Check /var/log/secure or use tools like fail2ban to track login attempts.
Troubleshooting Common Issues
If a user cannot log in, consider the following checks:
- File permissions: Incorrect .ssh folder or file permissions can prevent SSH access.
- Wrong key format: Ensure the key in authorized_keys is on a single line.
- Firewall blocks: Ensure port 22 is open in Oracle Cloud’s security list or network security group.
- SELinux: If enabled, check context labels with ls -Z and run restorecon if needed:
sudo restorecon -Rv /home/newuser/.sshConclusion
Adding another user to an Oracle Cloud instance over SSH is a secure and straightforward process, ideal for shared team environments or managed access. With proper SSH key setup, permissions configuration, and optional sudo privileges, each user can safely operate without risking the integrity of the entire server. This practice promotes better accountability, enhances security, and ensures system stability under collaborative usage.
Frequently Asked Questions (FAQ)
1. Can I simply share my SSH private key with a teammate?
No, it is highly discouraged to share private keys. Always create separate user accounts with their own keys to ensure traceability and security.
2. How can I remove a user later?
Use the command sudo deluser username to remove the user. To also delete their home directory, use sudo deluser --remove-home username.
3. Is it safe to enable sudo access for all users?
No, only grant sudo access to trusted users who need administrative capabilities. Doing so otherwise can expose your system to serious risk.
4. What if my user is getting a “Permission Denied” error?
This is commonly caused by incorrect permissions on the .ssh directory or authorized_keys file. Check ownership and permission settings carefully.
5. Can I automate this user creation process?
Yes, you can use shell scripts or configuration management tools like Ansible or Terraform to automate user setup, especially in production environments.