Error 404 Learning Guide

Accounts and SSH Access

Notes for creating local Linux accounts, checking users and groups, managing passwords, sudo access, SSH access, and SSH key generation.

Use this page when a user account needs to be created, checked, locked, unlocked, prepared for SSH login, or configured with SSH keys.

Safety rule

Before creating or changing an account, check:

1. Am I on the correct server?
2. Is this production or test?
3. Is this a local account or domain/LDAP/AD account?
4. Does the user really need access?
5. Which group or sudo rights are required?
6. Is SSH key access required?
7. Is password login allowed or disabled?
8. Is the system using FIPS mode?
9. Do I have approval?

Do not create accounts or grant sudo access without approval.

Check existing users

Show current user

whoami

Show user ID and groups

id USERNAME

Example:

id randy

Check if user exists

getent passwd USERNAME

Example:

getent passwd randy

List local users

cut -d: -f1 /etc/passwd

Check login shell

getent passwd USERNAME

Example output:

USERNAME:x:1001:1001::/home/USERNAME:/bin/bash

The last field is the login shell.

If the shell is /sbin/nologin or /bin/false, interactive login is blocked.

Create a local user

Create user with home directory

sudo useradd -m USERNAME

Create user with specific shell

sudo useradd -m -s /bin/bash USERNAME

Set password

sudo passwd USERNAME

Force password change at next login

sudo chage -d 0 USERNAME

Delete a local user

Delete user but keep home directory

sudo userdel USERNAME

Delete user and home directory

sudo userdel -r USERNAME

Be careful. This removes the user’s home directory and mail spool.

Lock and unlock accounts

Lock account

sudo usermod -L USERNAME

Unlock account

sudo usermod -U USERNAME

Check account password status

sudo passwd -S USERNAME

Groups

Show groups for a user

id USERNAME

or:

groups USERNAME

Create group

sudo groupadd GROUPNAME

Add user to group

sudo usermod -aG GROUPNAME USERNAME

Example:

sudo usermod -aG wheel USERNAME

The wheel group is commonly used for sudo access on RHEL-based systems.

Remove user from group

sudo gpasswd -d USERNAME GROUPNAME

Sudo access

Check sudo access

As the user:

sudo -l

Add user to wheel group

sudo usermod -aG wheel USERNAME

Verify:

id USERNAME

Check sudoers configuration

sudo visudo -c

Edit sudoers safely

sudo visudo

Do not edit /etc/sudoers directly with normal editors.

Add sudo rule using sudoers.d

Create a file safely:

sudo visudo -f /etc/sudoers.d/USERNAME

Example full sudo rule:

USERNAME ALL=(ALL) ALL

Example command-specific sudo rule:

USERNAME ALL=(ALL) /path/to/command

Be very careful with NOPASSWD.

SSH service basics

Check if SSH service is running

systemctl status sshd

Start SSH service

sudo systemctl start sshd

Enable SSH at boot

sudo systemctl enable sshd

Check SSH is listening

ss -tulpn | grep :22

SSH login test

ssh USERNAME@SERVER_NAME

or:

ssh USERNAME@SERVER_IP

SSH key generation

SSH keys are used to log in without typing a password every time.

An SSH key pair has two parts:

private key = stays on your computer, never share it
public key  = can be copied to the server

Common files:

~/.ssh/id_ed25519      = private key
~/.ssh/id_ed25519.pub  = public key

Never share the private key.

Recommended key type for normal modern systems

Use ed25519 for most modern systems:

ssh-keygen -t ed25519 -C "your_email_or_note"

Example:

ssh-keygen -t ed25519 -C "randy laptop key"

When asked where to save the key, press Enter for the default location:

~/.ssh/id_ed25519

When asked for a passphrase, using one is recommended.

FIPS warning

On RHEL systems running in FIPS mode, Ed25519 keys are not suitable.

Use RSA instead:

ssh-keygen -t rsa -b 4096 -C "your_email_or_note"

Example:

ssh-keygen -t rsa -b 4096 -C "randy laptop key"

Quick rule:

Normal modern system: ed25519 is usually fine
RHEL with FIPS mode: use RSA 4096

Create a key with a custom filename

Useful when you have separate keys for different servers.

ssh-keygen -t ed25519 -f ~/.ssh/server01_ed25519 -C "server01 key"

For FIPS/RSA:

ssh-keygen -t rsa -b 4096 -f ~/.ssh/server01_rsa -C "server01 key"

This creates:

~/.ssh/server01_ed25519
~/.ssh/server01_ed25519.pub

or:

~/.ssh/server01_rsa
~/.ssh/server01_rsa.pub

Show public key

To copy the public key:

cat ~/.ssh/id_ed25519.pub

For a custom key:

cat ~/.ssh/server01_ed25519.pub

For RSA:

cat ~/.ssh/server01_rsa.pub

Only copy the .pub key to the server.

Add public key to a server user

On the server:

sudo mkdir -p /home/USERNAME/.ssh
sudo nano /home/USERNAME/.ssh/authorized_keys

Paste the user’s public key into authorized_keys.

Public keys usually start with:

ssh-rsa
ssh-ed25519
ecdsa-sha2-nistp256

Never paste a private key here.

Set correct ownership

sudo chown -R USERNAME:USERNAME /home/USERNAME/.ssh

Set correct permissions

sudo chmod 700 /home/USERNAME/.ssh
sudo chmod 600 /home/USERNAME/.ssh/authorized_keys

Verify SSH key login

ssh USERNAME@SERVER_NAME

Copy key with ssh-copy-id

If password SSH login is still allowed, this is easier:

ssh-copy-id USERNAME@SERVER_NAME

Using a specific public key:

ssh-copy-id -i ~/.ssh/server01_ed25519.pub USERNAME@SERVER_NAME

For RSA:

ssh-copy-id -i ~/.ssh/server01_rsa.pub USERNAME@SERVER_NAME

Use a specific SSH key

ssh -i ~/.ssh/server01_ed25519 USERNAME@SERVER_NAME

For RSA:

ssh -i ~/.ssh/server01_rsa USERNAME@SERVER_NAME

SSH config for easier login

Create or edit:

nano ~/.ssh/config

Example:

Host server01
    HostName server01.example.com
    User USERNAME
    IdentityFile ~/.ssh/server01_ed25519

For RSA:

Host server01
    HostName server01.example.com
    User USERNAME
    IdentityFile ~/.ssh/server01_rsa

Then connect with:

ssh server01

Check key permissions on client

Private keys must not be too open.

chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_ed25519
chmod 644 ~/.ssh/id_ed25519.pub

For a custom key:

chmod 600 ~/.ssh/server01_ed25519
chmod 644 ~/.ssh/server01_ed25519.pub

For RSA:

chmod 600 ~/.ssh/server01_rsa
chmod 644 ~/.ssh/server01_rsa.pub

Test SSH key login

ssh -i ~/.ssh/server01_ed25519 USERNAME@SERVER_NAME

Verbose test:

ssh -vvv -i ~/.ssh/server01_ed25519 USERNAME@SERVER_NAME

Use -vvv when troubleshooting. It shows which keys are tried and why login fails.

SSH configuration checks

Main SSH server config

sudo cat /etc/ssh/sshd_config

Sometimes extra configs are in:

ls -lah /etc/ssh/sshd_config.d/

Check SSH config syntax

sudo sshd -t

If no output appears, syntax is usually OK.

Restart SSH service

sudo systemctl restart sshd

Be careful when restarting SSH on a remote server. Keep another session open if possible.

Useful SSH settings to check

PasswordAuthentication
PubkeyAuthentication
PermitRootLogin
AllowUsers
AllowGroups
DenyUsers
DenyGroups
AuthorizedKeysFile

Search config:

sudo grep -Ei "PasswordAuthentication|PubkeyAuthentication|PermitRootLogin|AllowUsers|AllowGroups|DenyUsers|DenyGroups|AuthorizedKeysFile" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* 2>/dev/null

Login troubleshooting

Check user exists

getent passwd USERNAME

Check account status

sudo passwd -S USERNAME

Check shell

getent passwd USERNAME

If shell is /sbin/nologin or /bin/false, interactive login may be blocked.

Check home directory

ls -ld /home/USERNAME

Check .ssh permissions

ls -ld /home/USERNAME/.ssh
ls -l /home/USERNAME/.ssh/authorized_keys

Expected:

/home/USERNAME/.ssh                  700
/home/USERNAME/.ssh/authorized_keys  600

Check SSH logs

journalctl -u sshd -n 100

or:

sudo tail -n 100 /var/log/secure

Search failed SSH logins:

sudo grep -i "failed" /var/log/secure

Common key problems

Wrong public key in authorized_keys
Private key permissions too open
.ssh folder permissions wrong
authorized_keys permissions wrong
Wrong user
Wrong server
Wrong IdentityFile in ~/.ssh/config
Server does not allow PubkeyAuthentication
Account is locked
Home directory ownership is wrong
FIPS system using an unsupported key type

First command set for account/SSH issues

getent passwd USERNAME
id USERNAME
sudo passwd -S USERNAME
ls -ld /home/USERNAME
ls -ld /home/USERNAME/.ssh
ls -l /home/USERNAME/.ssh/authorized_keys
systemctl status sshd
ss -tulpn | grep :22
journalctl -u sshd -n 100
sudo tail -n 100 /var/log/secure

Dangerous actions

Be careful with:

sudo userdel -r USERNAME
sudo usermod -aG wheel USERNAME
editing sudoers
changing SSH config remotely
restarting sshd remotely
locking accounts
deleting home directories
changing ownership recursively on /home
pasting private keys into tickets, chats, or wiki pages

Important notes

Never share private keys.
Never paste private keys into tickets, chats, or wiki pages.
Only share public keys ending in .pub.
Use a passphrase for important keys.
Use separate keys for important environments when possible.
Remove old keys when they are no longer needed.
Use RSA 4096 if FIPS mode is required.

Personal notes

Add sanitized notes here.

Examples:

- User existed but shell was /sbin/nologin.
- SSH key permissions were wrong.
- User was missing from the correct group.
- Account was locked.
- SSH config denied password login.
- Ed25519 key failed because system required FIPS-compatible keys.