Use Cloud-Init to Manage Users on New Servers
Traducciones al EspañolEstamos traduciendo nuestros guías y tutoriales al Español. Es posible que usted esté viendo una traducción generada automáticamente. Estamos trabajando con traductores profesionales para verificar las traducciones de nuestro sitio web. Este proyecto es un trabajo en curso.
Cloud-init is an industry-standard solution for automating server deployments, with support across platforms and distributions. Combining platform metadata with custom user data scripts, cloud-init can vastly simplify the process of initializing new servers.
With Akamai’s Metadata service, you can leverage cloud-init to deploy Compute Instances. A cloud-config user data script can define everything you need to initialize instances, from security and user set up to software installation and shell scripts.
This guide details how to start working with users as part of your cloud-init deployments. Read on for cloud-config scripts to provision users, add SSH keys, and disable remote root access.
Before getting started, you should review our guide on how to Use Cloud-Init to Automatically Configure and Secure Your Servers. There, you can see how to create a cloud-config file, which you need to follow the present guide. When you are ready to deploy your cloud-config, the guide linked above shows how.
Create User
Within a cloud-config script, the users option handles user creation and most features for managing users. At its simplest, the option can work with as little as a default item, ensuring that cloud-init creates the default user. Whatever other users you add, it is recommended that you keep an entry for the default user as well.
- File: cloud-config.yaml
1 2users: - default
To create an additional user, add another item to the list with at least a name field defining the username. For instance, to create an example-user, you can use a configuration like this one.
- File: cloud-config.yaml
1 2 3users: - default - name: example-user
The cloud-init process sets up the user with a range of defaults, like a home directory and user group. However, you typically want to take a bit more control of the user creation, especially if you intend to access the user over SSH. Further sections cover features like assigning groups (including sudo access) and adding SSH keys to users. In the example below, and the accompanying breakdown, are some additional useful options for managing new users.
- File: cloud-config.yaml
1 2 3 4 5 6 7users: - default - name: example-user gecos: Example User,600-700-8090 shell: /bin/bash lock_passwd: false passwd: <PASSWORD_HASH>
This creates a basic user, accessible by a username and password. Here is an explanation of what each part of the example does:
name: Defines the username for the user. This field is required.gecos: Provides a comment on the user. This is where you can enter GECOS information for the user, such as real name and contact details Each piece of information should be separated by commas.shell: Points to a shell for the user. While not required, the user’s shell may behave unexpectedly if you do not explicitly provide this field.lock_passwd: Whether to disable password logins for the user. The default istrueas it is recommended to use SSH access instead. This is because, in addition to SSH keys generally being more secure, the password hash is included in the cloud-config, making it more difficult to secure.passwd: Defines the password for the user as a password hash. To login with the user using this password, thelock_passwdoption needs to be set tofalse. You can generate a password hash with the following command:mkpasswd --method=SHA-512 --rounds=4096Note The configuration does support aplain_text_passwdoption, where you can set a user password from plain text, rather than a hash. However, you should not use this option in a production environment, as the password becomes even more vulnerable to exposure.
For the full range of user configuration options, see cloud-init’s Users and Groups module reference documentation.
Manage and Assign Groups
Your cloud-config script can manage user groups either independently using the groups option or within a users entry. The groups option gives you more control of groups themselves and allows you to add existing users, like the default root user, to new groups.
Under groups, you have a list of groups to be added to the system. Just listing the name of a group, like user-group below, creates an empty group. Adding a list of usernames below a group name, as with admin-group below, initializes the system with those users belonging to the group.
- File: cloud-config.yaml
1 2 3 4groups: - admin-group: - root - user-group
Cloud-config also supports a groups option within each users entry. Using this groups option provides a more user-centered approach, allowing you to create and assign groups on a user-by-user basis. In the example below, a new example-group group is created along with the user, and the user is assigned to that group.
- File: cloud-config.yaml
1 2 3 4users: - name: example-user groups: - example-group
By default, cloud-init creates and assigns each user to a self-named user group. So the user above, example-user, actually belongs to two groups: example-user and example-group. You can set no_user_group: true on the user to not create the default example-user group.
Assigning Sudo Access
Cloud-init controls sudo access on users primarily through the sudo option. This option takes a list of sudo rule strings, just they appear in the sudoers file. You can learn more about sudo access and sudo rules in the appropriate sections of our
Linux Users and Groups guide.
In the example below, a new example-user is created and given sudo access. The one rule applied allows the user to run any command as sudo after entering the user’s password. This example also adds the user to the sudo user group.
- File: cloud-config.yaml
1 2 3 4 5 6users: - name: example-user groups: - sudo sudo: - ALL=(ALL:ALL) ALL
Alternatively, you can use the following sudoers rule to permit sudo access without password entry. This is useful for users that you have set up SSH key access on, but have not provided a password for.
- File: cloud-config.yaml
1 2 3... sudo: - ALL=(ALL) NOPASSWD:ALL
Add an SSH Key to a User
Using the ssh_authorized_keys option, you can authorize a list of SSH public keys for accessing a user remotely. Doing so provides a more secure authorization route than passwords, and so it is recommended over password configuration.
If you do not have an SSH key pair yet, get one by following the relevant section of our guide on how to Use SSH Public Key Authentication.
Once you have the SSH key pair, you can add your SSH public key to the ssh_authorized_keys list in the user configuration. In this example, example-user has authorized access from two SSH keys:
- File: cloud-config.yaml
1 2 3 4 5 6users: - name: example-user shell: /bin/bash ssh_authorized_keys: - <SSH_PUBLIC_KEY_FIRST> - <SSH_PUBLIC_KEY_SECOND>
With this set up, a machine with the matching SSH private key (typically where you generated the key pair) can access example-user over SSH. The SSH key provides the authentication, and does so more securely than manual password entry.
Disable Root User
From a security perspective, it is generally advisable to disable root login via SSH. This limits the exposure of your root user and the possibility of your system being accessed with full root privileges.
To disable root access over SSH, you need to modify the SSH configuration file and restart your system’s SSH service. All of this can be done with a series of shell commands, which cloud-config takes in the runcmd option. The example below uses three commands to modify the SSH service configuration:
The
sedcommand removes anyPermitRootLoginline already in the configuration file. Any existing setting is thus removed, and this bypasses more complicated commands that try to identify commented-out settings.The
echocommand adds a newPermitRootLoginsetting to the configuration file, with a value ofnoto disable root logins.The
systemctlcommand restarts the SSH service to ensure the setting takes effect immediately.
- File: cloud-config.yaml
1 2 3 4runcmd: - sed -i '/PermitRootLogin/d' /etc/ssh/sshd_config - echo "PermitRootLogin no" >> /etc/ssh/sshd_config - systemctl restart sshd
Verify User Configuration
Once cloud-init has completed the server’s initialization, verify that your user and group configurations have deployed as intended. For several of the components configured throughout this tutorial, the simplest verification is often just connecting to the given user via SSH.
For instance, if your cloud-config created an example-user with an SSH key, you should be able to connect to the server as that user via SSH. Replace 192.0.2.17 below with the deployed servers’ actual IP address.
ssh example-user@192.0.2.17If you disabled remote root access, you should be able to verify that similarly, attempting to access the server as the root user:
ssh root@192.0.2.17To verify in more detail, you can use the getent and groups commands once you have logged into the server. The former, used with the passwd option and the username, provides a summary of a user’s details on the system.
In this example, you can see an entry for an example-user that has a GECOS comment, home directory, and an assigned shell program:
sudo getent passwd example-userexample-user:x:1000:1002:Example User,600-700-8090:/home/example-user:/bin/bashWhat is lacking above is verification of the user’s group. You can get that with the groups command followed by the username. The example below does this for example-user, showing that the user belongs to a self-named user group along with example-group.
sudo groups example-userexample-user : example-user sudo example-groupMore Information
You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.
This page was originally published on