*Cube-Host– full cloud services!!

get a consultation
WhatsApp Telegram
EN

User configuration and management in Linux VPS

User configuration and management in Linux VPS

Proper user management is one of the most important “production basics” for a Linux VPS. The goal is simple: avoid working as root, use role-based access, enforce strong authentication, and keep permissions predictable for teamwork and deployments.

This guide covers creating users, managing groups, issuing minimal sudo rights, password policies, SSH key access, shared directories (setgid/ACL), and a safe offboarding procedure. Start with a clean and stable Linux VPS to keep access control consistent from day one.

Basic Account Model (1 Minute of Theory)

  • Users: /etc/passwd (UID, GID, shell, home directory).
  • Password hashes: /etc/shadow (root-only access).
  • Groups: /etc/group (GID and members).
  • Home directories: typically /home/<user>, default skeleton: /etc/skel.

Tip: most distributions use UIDs ≥ 1000 for human users, and smaller UIDs for system/service accounts.

Creating a User

1) Convenient adduser wizard (Debian/Ubuntu)

sudo adduser alice
sudo usermod -aG sudo alice

Verify sudo rights (you’ll be asked for Alice’s password):

su - alice
sudo -v
sudo whoami
Creating a user with adduser on Linux VPS

2) “Low-level” via useradd (universal)

sudo useradd -m -s /bin/bash bob
sudo passwd bob

Custom home directory + permissions

Useful when you keep project users in /srv or a separate disk/volume.

sudo useradd -m -d /srv/users/charlie -s /bin/bash charlie
sudo passwd charlie

# Ensure strict permissions (example: only user + group can read)
sudo chown -R charlie:charlie /srv/users/charlie
sudo chmod 750 /srv/users/charlie
Useradd with custom home directory on Linux VPS

Verification:

id alice
getent passwd alice
ls -la /home/alice
sudo -l -U alice

Groups and Roles

Groups are the cleanest way to manage access. Avoid giving everyone “full sudo” — use role groups whenever possible.

Adding to additional groups

# Add user to a group (example: docker)
sudo usermod -aG docker alice

# Show groups
groups alice
id alice

Removing from a group

sudo gpasswd -d alice docker

Role group for a project/service

sudo groupadd webadmins
sudo usermod -aG webadmins alice
sudo usermod -aG webadmins bob

Secure sudo (via visudo and /etc/sudoers.d)

Edit sudo rules only via visudo — it validates syntax and prevents “bricking” admin access.

Full sudo (like the sudo group)

sudo visudo

Example rule (do not duplicate if your distro already uses %sudo or %wheel):

%sudo   ALL=(ALL:ALL) ALL

Minimum privileges (example for nginx)

Create a dedicated sudoers file for the role group. Use absolute paths only.

sudo visudo -f /etc/sudoers.d/webadmins

Example content:

# Allow only safe, specific commands (example)
%webadmins ALL=(root) NOPASSWD: /usr/sbin/nginx -t, /bin/systemctl reload nginx

# Recommendation: avoid NOPASSWD unless automation truly requires it
Minimal sudo rules via /etc/sudoers.d on Linux VPS

Best practice: grant permissions through groups whenever possible (%webadmins ...), then add/remove users from the group to manage access.

Password Policy (Aging) and Complexity

Individual terms via chage

# Show current policy
sudo chage -l alice

# Example: max 90 days, min 1 day, warn 14 days before expiry
sudo chage -M 90 -m 1 -W 14 alice

Defaults for new users (login.defs)

sudo nano /etc/login.defs

Example baseline values:

PASS_MAX_DAYS   90
PASS_MIN_DAYS   1
PASS_WARN_AGE   14

Password complexity (PAM, Ubuntu/Debian)

Install and configure password quality rules (test carefully on production systems).

sudo apt update
sudo apt install -y libpam-pwquality

Edit /etc/pam.d/common-password and add/adjust pam_pwquality parameters. Example:

password requisite pam_pwquality.so retry=3 minlen=14 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1

SSH Keys and SSH Restrictions

Add a public key to a user

sudo -u alice mkdir -p /home/alice/.ssh
sudo -u alice chmod 700 /home/alice/.ssh

# Add the public key (replace with your actual key)
echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA... yourkey" | sudo tee -a /home/alice/.ssh/authorized_keys >/dev/null

sudo -u alice chmod 600 /home/alice/.ssh/authorized_keys
Adding SSH public key to a Linux user on VPS

Restrict access in sshd_config

Hardening baseline: disable password auth, disable root login, and restrict SSH to a dedicated group.

sudo groupadd sshusers || true
sudo usermod -aG sshusers alice

sudo nano /etc/ssh/sshd_config

Example directives:

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AllowGroups sshusers

Reload SSH (Ubuntu/Debian):

sudo sshd -t
sudo systemctl reload ssh

Critical: verify key-based login works before disabling passwords, otherwise you may lose access.

“Technical” user without shell

Use a no-shell account for services and automation (reduces risk if credentials are exposed).

# Create a service user without interactive shell
sudo useradd -r -m -s /usr/sbin/nologin svcdeploy

# Lock password login (key-based only if needed)
sudo passwd -l svcdeploy

Collaborative Work in a Directory (Group + ACL)

setgid on the project directory (group inheritance)

With setgid, new files inherit the directory group automatically — very useful for team work.

sudo groupadd project || true
sudo mkdir -p /srv/project
sudo chown -R root:project /srv/project

# 2 in 2775 enables setgid bit
sudo chmod 2775 /srv/project

# Add users to the project group
sudo usermod -aG project alice
sudo usermod -aG project bob

Point ACLs (if rights beyond the standard are required)

ACL allows fine-grained permissions and default rules for newly created files.

sudo apt install -y acl || true

# Grant rwx to group on the directory (and set default ACL for new files)
sudo setfacl -m g:project:rwx /srv/project
sudo setfacl -d -m g:project:rwx /srv/project

# Check ACL
getfacl /srv/project

Audit and Debugging of Logins

When multiple admins work on the same VPS, basic auditing helps track access and diagnose issues fast.

# Recent logins
last -a | head -n 20

# Last login per user
lastlog | head -n 20

# SSH logs (Ubuntu/Debian)
sudo tail -n 200 /var/log/auth.log

# Systemd-based view (often works everywhere)
sudo journalctl -u ssh --since "today" | tail -n 100 || true
sudo journalctl -u sshd --since "today" | tail -n 100 || true

Blocking and Deleting Accounts (Offboarding)

A safe offboarding flow is: lock → stop sessions → backup → remove. This prevents surprises and preserves data when needed.

# 1) Lock password (prevents password auth)
sudo passwd -l alice

# 2) Disable shell (prevents interactive login if it’s still allowed)
sudo usermod -s /usr/sbin/nologin alice

# 3) Kill running processes (optional)
sudo pkill -u alice || true

# 4) Backup home directory (optional but recommended)
sudo tar -czf /root/alice-home-$(date +%F).tar.gz /home/alice

# 5) Remove user and home directory (final step)
sudo userdel -r alice

Production Readiness Checklist

  • User created, home directory and shell are correct, SSH key added.
  • Role-based groups assigned (sudo/adm/www-data/docker/… as required).
  • Sudo rules issued via /etc/sudoers.d with minimal privileges.
  • Password policy is set (chage/login.defs/PAM where needed).
  • SSH hardening: passwords disabled, root login disabled, access restricted by AllowGroups if used.
  • Shared directories use group + setgid, and ACL where needed.
  • There is an offboarding procedure (lock → kill → backup → remove).

Build a Clean Access Model on Your Linux VPS

Role-based access and clean user management make servers easier to operate and safer in production. Deploy a reliable Linux VPS, then set users, groups, sudo rules, and SSH access properly from day one.

Prev

More articles:

Menu