Groups

Create an additional SSH-login enabled user for your Azure Linux VM without third-party tools

Create an additional SSH-login enabled user for your Azure Linux VM without third-party tools

As I am moving forward in my current Linux journey, I recently came into a situation where a second user would have been handy. So I tried a few things to create the new user and allow the new user to only log in via SSH.

What the h*** is SSH?

SSH stands for Secure SHell and describes a protocol to connect via encrypted credentials. The security is provided by cryptographic keys, where the server only knows the public key and the client that wants to connect needs the matching private key. The most popular implementation is OpenSSH, which is available as an additional feature on Windows 10 since last fall. If you want to learn more about SSH, read the Wikipedia entry as well.

Create the SSH key pair on Windows

Install the OpenSSH client

First, install the OpenSSH client on your Windows machine. Proceed as follows:

  • open the start menu and type ‘apps’
  • select ‘Apps and features’ settings page
  • select ‘Optional features’
  • click on ‘Add a feature’
  • search ‘OpenSSH client’, click on it and ‘Install’

If you are scrolling down the list of installed features, you should find the entry for the OpenSSH client.

Note: If you are not able to install this feature, it may be the right time to update your Windows installation to the latest version.

Create your SSH key pair

If your user profile does not have a folder called ‘.ssh’, it is time to create it now. Type ‘%USERPROFILE%‘ in the Windows Explorer’s address bar to get to the right folder immediately and create the folder.

Now that we have the folder OpenSSH searches for, we are already able to create our new SSH keypair. Open a command prompt and type this:

ssh-keygen -t rsa -b 4096 -C "newuser@machine.com"

This will initiate the keypair creation. The -C parameter is optional and can be anything. You’ll find these keys often created with <user at address> combinations. After OpenSSH has created your keypair in memory, it will ask for a location to save the file. If you do not enter anything, it’ll save it as id_rsa into the .ssh folder created earlier. If you want to save it to another file name, you can do so:

C:\Users\username\.ssh/id_test

Please note that the file name (without any extension!) is separated by ‘/’, not by ‘\’. If you do not respect this, it will give you an error that the file name does not exist. This happens only if don’t use the default filename. After the files are created, OpenSSH asks you for a passphrase to protect your private key. Nowadays, every single keypair should be password protected (just my 2cts). Once the creation is complete, you’ll see something like this:

Your identification has been saved in C:\Users\msicc\.ssh/id_test.
Your public key has been saved in C:\Users\msicc\.ssh/id_test.pub.
The key fingerprint is:
SHA256:8LK33fWKXMkY5FtcN4uU1v9SyCSUqKNp2T/PurpZCRU newuser@machine.com
The key's randomart image is:
+---[RSA 4096]----+
|          E...   |
|          .o. o  |
|      .  .. o+.oo|
|       oo. oo=.o=|
|      .=S.  o.=.o|
|      =o.. . * o.|
|     .. ..o o * .|
|       . =o+ + o |
|        =o+=* ...|
+----[SHA256]-----+

As you can see, we are able to create SSH keys without any third-party application on Windows. You can now safely close the console window (e.g by typing ‘exit‘).

Deploying the public key to the server

Of course, the whole key pair thing has only sense if we are using it to secure our client/server communication. On Linux, there would be the easy to use command ssh-copy-id to deploy the key. Some Windows tutorials are showing the scp command, but I never got that working with my Azure VM. The only way left was to deploy it manually (which is not that difficult if you know how).

The manual way

After logging in (using Azure CLI), we are going to add a new user to the gang:

sudo useradd -m newuser

This will create a new user and its home directory. If the OS asks you for a password, it is up to you and the OS settings for empty passwords to provide one or not. Next step would be to add it to one or more groups if necessary:

sudo usermod -aG sudo newuser

The -aG parameter of the usermod command adds the specified group(s) to the user’s groups table. If you want to add the user to more than one group, separate them with a comma (no whitespace after the comma!).

To make things a little bit easier for us, we are going to log in as the new user:

sudo su newuser

Note: If you want to proceed without logging in as the new user, you’ll need to change ~ to /home/newuser for the following commands.

To make Linux accept our prior created SSH key only for our new user, we need to create the .ssh folder and the file for allowed keys in the new user’s home directory. Let’s start with the .ssh directory:

sudo mkdir ~/.ssh
sudo chmod 0700 ~/.ssh
sudo chown newuser:newuser ~/.ssh

Let’s break it down. Obviously, the mkdir command creates the .ssh folder. The chmod command with the 0700 parameter gives full access only to our new user. Finally, the chown command makes our new user the owner of the file.

Linux saves the allowed keys in a file called ‘authorized_keys‘, so that’s the next we are going to create. After creation, we change the file’s access rights to 0644, which makes it read-only for all users except our new user. Execute these commands:

sudo touch ~/.ssh/authorized_keys
sudo chmod 0644 ~/.ssh/authorized_keys

We’re getting closer… earlier, OpenSSH created two files in the .ssh folder on Windows. We are going to copy the contents of the .pub file into the authorized_keys file now. You can extract the content of the .pub file with Notepad on Windows. Once you have that one in your clipboard, open the authorized_keys file (using your favorite editor):

nano ~/.ssh/authorized_keys

Paste the content of your .pub file by right-clicking on the Azure CLI window. Save the file and close it. To secure the new user account, we need to apply some additional steps.

The first one is to delete and disable the password of our new user:

sudo passwd -d -l newuser

The -d parameter completely deletes the password. The -l parameter locks the state, preventing the user to set a new password (without using sudo, that is).

Additional security measures

Now that we have our SSH public key on our server, we are save to disable the password-based login in general. To do so, we need to modify the sshd_config file of our server. Open it with the editor of your choice:

sudo nano /etc/ssh/sshd_config

Search for PasswordAuthentication and ChallengeResponseAuthentication. Uncomment these entries if necessary by removing the ‘#‘ in front of the line an set them to ‘no‘. Some tutorials that are floating around the web tell you to even set UsePAM to no, but following this recommendation always disabled the login completely for me on the Azure VM and I always had to reset the SSH config via the Azure CLI.

Save and exit the sshd_config file. To take these changes into effect, we need to restart the SSH service on our service:

sudo service ssh restart

Wait a few seconds and then verify that the service restarted by controlling its status:

systemctl status ssh.service

That’s it, we have deployed our new SSH key to our server and took additional security measures. There’s just one thing left: try to log in via ssh as the new user. This is a pretty easy task. In the Azure CLI (or a local command prompt), enter the following command:

 ssh -i %USERPROFILE%\.ssh\id_test newuser@machine.com

After entering your password, you should be logged in just like you did with your admin user.

Bonus: add a shared directory

More often than not, you might want to create scripts or other files that are available to all users. Follow these simple steps:

sudo groupadd shared
sudo usermod -aG shared newuser

sudo mkdir -p /var/helpers
sudo chgrp -R shared /var/helpers
sudo chmod -R 2775 /var/helpers

The first two lines create a new group and assign our new user to the group. Repeat the second command for every user you want to be in that group.

Then we create the shared folder /helpers in the /var folder of our server. Utilizing the chgrp command, we give the ownership to our shared group. Last but not least, we are modifying the access rights once again for the /var/helper folder. The combination 2775 means that every new file inherits the group from the folder, allowing all members of the group to read, write and execute the file, while users outside the shared group only can read and execute the file.

Conclusion

As you can see, one does not always have to use third-party tools to get things done. Like I said at the beginning of this post, once you know the steps that are needed, it is pretty easy to create a new SSH key pair, create a new user and manually deploy the public key to the server. As always, I hope this post is helpful for some of you.

Helpful links

Title Image Credit (Pixabay)

Posted by msicc in Azure, Linux, 0 comments

Sean’s Editorial: This Is How I Use “Rooms” For WP


With the release of Windows Phone 8, there are a tremendous number of new features available Many aren’t available for WP7, or are but have inherent limitations. Some are major additions and some are minor changes. The feature that I find myself utilizing more than any other option on my Lumia 920 is the new Rooms feature. If you haven’t had the opportunity to upgrade to WP8 yet, Rooms are similar to Groups for WP7, but with many additional and VERY useful features. My wife and I both have WP8 Lumia 920’s, so I’ve had the chance to use the Rooms feature often and will give you some of my experiences, the positives of Rooms, and some of the needed improvements to this unique feature from Microsoft.

 
Bare with me for a second, this is more of a recap of  Rooms before I better describe how it has become such a vital aspect of my phone and world. First, let’s start off with what the Rooms feature is. Like Groups, Rooms is a collection of contacts from your People Hub that you want to group together for easier and more organized communications with. The 1st big difference between the 2: Groups are people you add into a hub without their permission, making it easier for YOU, the user, to better keep track of up to 25 people and communicate with them via the various integrated services on WP. Unlike a Group though, a Room requires you to be invited to or for you to invite participants in a Room you’ve created. A Room can’t exceed 10 members and you’re limited to participating in no more than 5 Rooms at a time. In addition invites are only sent via SMS, so you need to be in network range to send or accept. Once you’re in a Room, WiFi can then be used as your connection. This was an issue for me personally, as my home is not within my carrier’s network range. I had to wait to get into reception before accepting an invitation and sending an invite for a different Room.
Many of you have read about the features included in Rooms for WP8, so I won’t spend a lot of time detailing what’s already been written. It has a very simple minimalist feel and look to it, but does a great job of capturing the essence of Windows Phone with all the integrated services right at your fingertips and easily accessible. Here’s the short of what a Room consists of:

     

  • Members Screen-live tile of the members of the room/What’s New via social networks/Member Photos/Group email/Settings
  • Messenger-IM with the members in your Room
  • Calendar-Add/View/Edit events
  • Photos-Add/View/Comment on Room members uploaded pics/
  • Notes-Add/View/Edit notes added by Room members

 

So who is this wonderful feature, created by the reinvigorated and innovative team at Microsoft, available to? If you own a WP8, you’re in luck as all the services come stock and work great with your device. What if you own a WP7…or maybe you own a WP8 but know someone with an iPhone that you would like to share this experience with. Well there’s good and bad news. It IS available to  WP7 and iPhone owners, but with limitations. I’m personally in a Room with my wife and in another with other Lumia 920 owners, so I have to be honest…I’m not sure of how well the non WP8’s behave in a Room. This is how Microsoft describes the experience for non WP8 Room members:

If you have a Windows Phone 7 or an iPhone, you can join a room that someone with a Windows Phone 8 creates and invites you to. You’ll be able to set up the room’s shared calendar on your phone and view, create, and edit events on it. Your changes will appear on the other members’ phones and their changes will sync to yours. Other Rooms features work best on Windows Phone 8. Group chat(Messenger) in Rooms is only available on Windows Phone 8. Room members with a Windows Phone 7 or iPhone won’t be able to participate.

 

  

Rather than focusing on the specs, I’m going to spend my time in this piece talking about how I personally use these features on a daily basis, quite perhaps, more than any other aspect of my Lumia 920. As I mentioned before, I’m involved in 2 rooms currently. The Lumia 920 Room is a group of 10 owners of the 920 where we discuss many things 920 related and some other things too. It’s a great way for me to stay connected with other Winphans and feel the WP love! The second Room I’m involved in is one my wife and I made to stay connected in our busy world. I’m going to talk about that first as it garners most of my time and well…I’m using it as I’m writing on my laptop this very second.

 

I’m sure many of you can relate to this description: I am married, we have children, we both work, our kids have busy schedules, somebody wants this, somebody wants that, etc. Well the same holds true for my wife and I. We both have busy schedules and we have children, but don’t want to lose out on what matters most, each other. Our Room has really helped to make us more communicative throughout the day and easier to share the day’s doing even though we’re apart. It’s why we fell in love in the first place, we enjoyed sharing experiences and thoughts together. We are in an era however, where finding time with your loved one or people you care about becomes harder due busier schedules, finances, and other various factors. A Room is really the 1st of its kind. It offers a bit of a social network feel, but in a much more intimate setting and brings some easy ways to connect the important and not so important part of your day to the person or people who are important in your day.

 

Obviously, the most used feature of a Room is the Messenger, or chat. This is a downfall of WP7, the lack of integrated Messenger just doesn’t make sense. Aside from FB chat, KIK, and a couple of others, there is slim pickins’ when it comes to IM and Window Phone. Having Messenger integrated gives another very stable IM choice to people considering a switch and with something as important as messaging, more is better. I spend most of my time near my home and as I mentioned above, my carrier’s network does not reach to it. A simple SMS is out of the question and most SMS apps have unreliable servers making texting a challenge often. My wife however, works in town and is in network range so SMS is fine. However, if my apps server is down then she can’t reach me then we’re back at square one. That has been our experience until having a Room. There are times were are carrier’s network is bad, but Messenger is always reliable. What is great for my wife is that the message shows up in her Messaging Hub just like a SMS or FB chat does. This gives you the option to have a live tile for your Room or not, either way, you’re going to get a notification.

 

An interesting feature to a Room’s Messenger chat is the storage of conversations in your Windows Live email. It’s not always consistent as to what will or won’t show up in your inbox, but some items do appear there. In the long run, if Microsoft straightens that out and has a Room consistently feeding through your email, that’s just one more example of 3 Microsoft’s 3 screens concept. If your WP isn’t near you, you don’t have to miss out on a conversation. Your Messenger also comes with voice to text dictation, which is a great little feature. In addition to the above features, Messenger allows you to check-in with your location and with the tap of the map, other members can look at their Local Scout for where you are.

 

So my wife and I both love to take pics and save pics we see on the internet and then share them with each other. Instead of having to send emails back and forth or sit and wait for the other person to scroll through their various photo albums looking for that one pic they saved, it’s much easier to use the SkyDrive integration and share it directly to our Room’s photo album. You can comment on a pic while viewing it as well, which can lead to long threads of their own aside from Messenger. Because of the SkyDrive integration it’s super easy to upload any image directly to the Room’s album, whenever you share an image you’ll see the Rooms you participate in as an option. You’ll also be notified via your live tile when a member uploads a new image. On a recent trip to L.A., my wife was able to almost stream her day in pics posted to our album. It was wonderful being able to experience things almost in live time as she showed me the world from her eyes. More than that, it was fairly easy for her to keep me up to the moment with how simple and NOT time-consuming it is to share. In addition to viewing pics while in your Room, your shared Room album is stored to SkyDrive allowing you to access those same pics from your laptop, tablet, Xbox, as well as your phone’s Photo hub. Ahem…3 screen concept yet again!

 

When you have busy schedules, that means you have filled up calendars and keeping them all in order can be a mind-boggling and time-consuming task! Your Room comes equipped with its own calendar that has also been integrated with SkyDrive thus adding itself to your existing Windows Live Calendar without you having to do anything. You might think “I’ve already linked my Windows Live Calendar with someone, how is this any different?”. The answer is this: When you add a new appointment/event with your phone’s calendar, you must enter an attendee to share it with and an email is sent with a request to accept or decline…too many steps, too much time, and things that can go wrong. With your Room, when a new item is added, it automatically includes all members and then places it in their calendar. No emails to accidentally end up in bulk or junk and get missed, just set it and that is that! Events from your Room will show up on your Calendar tile on your WP, laptop, or tablet. Yes, I know, 3 screens…I cannot say enough about SkyDrive and the way Windows Phone has integrated it into our devices!

 

The last main feature I’ll talk about is Note. Your Room’s Notes is a shared folder using your WP’s One Note, which has been integrated with SkyDrive allowing for you guessed it, a 3 screen concept! Start a Note or add to it. Christmas is right around the corner and my wife and I haven’t done a lick of shopping for gifts yet! We both are quite busy so it can be hard to both end up at a store looking for Christmas goodies at the same time. No worries, we’re going to sit together and using our Room make a gift Note. We can add or eliminate items later whether we are in the same room or in different areas with SkyDrive. If I buy a gift, just notate it on the Note and my wife can see not to get it. She doesn’t have to stand waiting for me to reply to a text or email if she’s at a store and isn’t sure if I already got it. We’ve all waited for that damn text or message at one point or another, be honest. NO MORE! If she thinks of something for me to pick up while I’m shopping for groceries, BAM…add it to the Note and it’s just that simple! Like Messenger, Note also comes with voice to text dictation.

 

In addition to the features I described above, the members of the Room all appear in one spot as live tiles. The members live tile in a Room are the same as in your People hub, so each member’s live tile shows their social network updates dancing about on their tile and all contact info can be accessed there as well. One of the features that appealed to many of us early adopters of Windows Phone was the Hub concept. It still does to newcomers, not needing so many apps to do simple tasks unlike the device they recently left behind whether it be Android or iPhone. Well Windows Phone has done it again! I’ve seen many apps that attempted to emulate each one of these tasks individually but Microsoft has done a great job at building each service into WP8 and then offering a way to use them all at once without the need of an app.

So I’ve given you all the upsides to a Room. What are the things that could be improved upon? This is a much shorter list. I actually only have 1 legitimate complaint, the rest are things that need just a little tweaking. My major complaint is this: there is no way to mute a Room. If you have an active room, your phone could be alerting you for hours on end as your Room’s Messenger gets lit up by members. Keep in mind, members of a Room can be from all over the world so it’s always Windows Phone time somewhere in the world in my 920 Room. The ability to turn off a Room’s alerts would be great! At this point the only way to turn off chat alerts is by leaving the Room in entirety. Not a good solution.

Aside from that, I would like to see the ability for a Room to do a better job at linking its members social networks together. Because it’s Windows Live, we all share each other Windows Live contact info. What if I want to know someone’s Twitter, their other social networks, or other contact info. There isn’t a quick way to do it in a Room yet. Yes you can share contact info via email, but that’s an added step that usually won’t be taken.

My last thing I can see a bit of an issue with is less to do with a Room and more to do with a carrier’s network. If you have poor network coverage the Room definitely doesn’t function as well. Just because you have enough reception to text doesn’t mean you have a strong enough signal for a Room to operate in “Real Time”, you may notice delays in Messenger and troubles syncing with SkyDrive. When I’m on WiFi I have yet to face any issues however.

When I first heard of Rooms in June, I thought it was cool sounding but had no idea how useful and in the theme of Windows Phone Rooms would really be. In terms of normal non gimmick function and by that I mean function but not a selling ploy like Siri for example, I really think this is the clear choice for top addition to Windows Phone 8. I think it will take a second, but you will hear more and more about Rooms in time to come. There are so many ways to make a Room work for each person, the question is simple…how will you make your Room or Rooms work for you?

To learn more about Rooms for Windows Phone 8 just click here.

 

 

 

 

Posted by TheWinPhan in Archive, 2 comments