Secure Ubuntu Server: Step-by-Step Guide to Creating a New User on Digital Ocean

It is not just recommended but crucial to create a new user separate from the default “root” user on provisioning a new Digital Ocean droplet. Why? For security reasons.

Relying solely on the ‘root’ user for remote access is similar to leaving your front door wide open for anyone with malicious intent. That’s why creating a separate user account, armed with administrative privileges, is not just recommended — it’s a crucial step toward fortifying your server’s defenses.”

Now that we’ve established the significance of creating a new user for your Digital Ocean droplet, let’s walk through the process of creating a new user with administrative rights on your Ubuntu-based Digital Ocean droplet.

Step One: Accessing Your Digital Ocean Droplet

To begin, log in to your Digital Ocean account and navigate to the Droplets section. Locate the specific droplet to which you want to add a new user. Once you’ve selected the droplet, click on the ‘Access’ option on the left-hand side of the page. Then, proceed by clicking the ‘Launch Droplet Console’ button.”

After clicking the ‘Launch Droplet Console’ button, a terminal will open up in another tab in your browser window, successfully logging you into your terminal as a root user. From here, you’ll proceed with the necessary commands to create a new user with administrative privileges.

Step Two: Running Terminal Commands

Next, execute the following command in the terminal:

sudo adduser username

Replace “username” with the desired name for the new user. This command will prompt you to set a password for the new user and enter additional information if needed.

Step Three: Verifying the Successful Creation of the User

To verify the successful creation of this new user, run the command

cat /etc/passwd

This command will output the contents of the /etc/passwd file, which includes a list of users along with their basic information. Scan the output for the user you just created. Look for an entry containing the username you specified during the user creation process.

Understanding the adduser Command

Now that you've executed the sudo adduser username command to create a new user, let's take a moment to delve into what exactly happens behind the scenes when the adduser command is run. Here's a breakdown of what it does:

1. Creation Of Home Directory + .ssh Directory:

   The home directory is established in /home/username, while the .ssh directory resides within /home/username/.ssh.

2. Creation Of An Authorised Keys File:

   An important component for SSH authentication, the authorized keys file is located at /home/username/.ssh/authorized_keys.

3. User Creation + Setting Of Home Directory For User:

   The user is created, and their home directory is set to /home/username. This means that upon logging in, the user is directed to the /home/username directory.

4. Password For User:

   The command also facilitates the setting of a password for the user. While SSH key authentication is preferred, setting a password provides an alternative method. Please note that enabling PasswordAuthentication in /etc/ssh/sshd_config is required for this to function, although it's not the recommended practice for security reasons.

5. Readable and Executable Permissions:

   Ownership of the home directory is assigned to the new user. Additionally, permissions for the .ssh directory and .ssh/authorized_keys file are updated to ensure readability and executability.

Now, let's return to the practical steps to verify the successful creation of your new user.

Step Four: Accessing the New User Terminal Via Digital Ocean's Droplet UI

To access the new user, navigate to the access panel on the droplet, and input the username of the newly created user in place of "root". Then, clicking on the 'Launch Droplet' button as before. This time, you'll access the console not as the root user but as the newly created user. Once again, to verify the successful creation of the home directory + .ssh directory for new user, run the following commands in the console:

echo $HOME

This above command checks the user's home directory and outputs it as a text in the format /home/username.

echo $PWD

This command outputs the current path to the directory you’re currently in, which should be /home.

Step Five: Generating SSH keys For New User's Remote Access Of Droplet

Open a terminal on your local machine and run:

ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

Replace "your_email@example.com" with your email address. This command will create an RSA key pair by default (id_rsa for the private key and id_rsa.pub for the public key) in the ~/.ssh/ directory. So make sure to use an appropriate name if you do not want it to default to id_rsa as the key names.

Step Six: Manually Copy Public Key

On your local machine:

cat ssh-key-name.pub

Replace ssh-key-name with the actual name of the SSH you created for the new user. This command will display the content of ssh-key-name.pub in your terminal. Next, copy the contents using Ctrl + C.

Step Seven: Edit The New User's authorized_keys File Using Vim

Return to the droplet's console, ensure you're logged in as the new user. Then use the Vim editor to open the authorized_keys file:

vim ~/.ssh/authorized_keys

After the authorized_keys file is opened, press i to enter insert mode in vim. Next, press Ctrl + V in the terminal to paste the contents you copied from the cat ssh-key-name.pub command on your local machine. This will insert the public key into the file.

Step Eight: Save And Exit Vim For New User

Finally, after pasting the content, press Esc to exit insert mode in vim. Then type :wq and press Enter to save the changes and exit vim.

Step Nine: Check New User's SSH Directory And File Permissions

The .ssh directory should have permissions set to 700 (drwx------) and the authorized_keys file should have permissions set to 600 (-rw-------). Incorrect permissions might prevent SSH from using the keys.

To set appropriate permissions, run the following command:

chmod 700 ~/.ssh 
chmod 600 ~/.ssh/authorized_keys

Step Ten: Logging In Via SSH As New User

Up to this point, we have been remotely accessing the droplet using Digital Ocean's UI, now let's switch to using SSH to access the droplet remotely as the new user.

To log in using SSH with the new user's credentials, execute the following command in your terminal:

ssh username@server_ip

Replace username with the actual username you want to log in with and server_ip with the IP address or domain name of the server you are trying to access. This command assumes that you are using the default id_rsa key and will look for this key on your local machine.

If you're using a specific private key for authentication (not the default id_rsa), you can specify the key explicitly in your SSH command:

ssh -i /path/to/private_key username@server_ip

Replace /path/to/private_key with the actual path to your private key file. After running this command, you'll be prompted to enter the passphrase associated with the SSH key created for the user. Simply paste the passphrase into the terminal when prompted, and upon successful authentication, you should be logged in.

In wrapping up, creating a new user on your Digital Ocean droplet is a fundamental step in fortifying security and managing remote access effectively. By following these steps I've outlined, you will be securing your droplet's defences for remote access while prioritising security.

If you found this article insightful or helpful, please do not forget to show your support! Please like, share, and comment on this article to spread it further. 💜