Joel shows you how to
manage user accounts on
your EC2 instance running Linux

joel-new-user-accounts-linux-instance

How do I add new user accounts with SSH access to my Amazon Elastic Compute Cloud (Amazon EC2) Linux instance?

Every Amazon EC2 Linux instance launches with a default system user account with administrative access to the instance. If multiple users require access to the instance, it's best security practice to use separate accounts for each user.

Add new user accounts with remote access rights to an EC2 Linux instance. Each account can use SSH to connect to the instance from another computer or EC2 instance. The new user will be able to use SSH to connect to the instance from another computer or EC2 instance.

Note: You can expedite these steps by using cloud-init and user data as described at How can I add an additional SSH user account with cloud-init and user data for my EC2 instance?

Prerequisites

1.    Complete the steps to launch and connect to your EC2 Linux instance - For more information, see Getting Started with Amazon EC2 Linux Instances and Connect to Your Linux Instance.

2.    Create a key pair for the new user account or be sure that you have access to an existing key pair - Because new user accounts authenticate using a private key that corresponds to a key pair's public key, you should either generate a new key pair, or locate a suitable pre-existing key pair before you add new user accounts. For more information, see Creating a Key Pair Using Amazon EC2. If you create your own key pair using the command line, follow the recommendations at create-key-pair or New-EC2KeyPair Cmdlet for key type and bit length. If you create your own key pair using a third-party tool, be sure that your key matches the guidelines at Importing Your Own Public Key to Amazon EC2 for key type and bit length.

Add a new user to an EC2 Linux instance

1.    Add a new user account to an instance, where new_user is a placeholder for the new account name. This command creates an associated group, home directory, and entry in the /etc/passwd file of the instance.

sudo adduser new_user

Note: If you add a new user to an Ubuntu instance, include the --disabled-password option to avoid adding a password to the new account.

sudo adduser new_user --disabled-password

2.    Change security context to the new user account so that folders and files you create will have correct permissions.

sudo su new_user

Note: When you run the sudo su new_user command, the name at the top of the command shell prompt changes to reflect the new user account context of your shell session.

3.    Create a .ssh directory in the new_user home directory and change its file permissions to 700. This enforces that only the new_user can read, write, or open the directory.

cd
mkdir .ssh
chmod 700 .ssh

4.    Create the authorized_keys file in the .ssh directory, and then restrict file permissions to 600 to enforce that only the new_user has read or write access to the file.

cd
touch .ssh/authorized_keys
chmod 600 .ssh/authorized_keys

Retrieve the public key for your key pair

Retrieve the public key for your key pair. Copy the public key, and then use the Linux cat command to paste the public key into the .ssh/authorized keys file for the new user.

Verify your key pair's fingerprint

Follow the steps at Verifying Your Key Pair's Fingerprint after you import your own public key or retrieve the public key for your key pair.

Update and verify the new user account credentials

After you copy the public key, use the command shell session that is running under the context of the new user account to confirm that you have permission to add the public key to the .ssh/authorized_keys file for this account:

1.    Run the cat command in append mode (cat >> .ssh/authorized_keys).

2.    Paste the public key into the open cat prompt, and then press Enter.
Note: For most Linux command-line interfaces, the Ctrl+Shift+V key combination pastes the contents of the clipboard into the command line window. For the PuTTY command-line interface, right-mouse click to paste the contents of the clipboard into the PuTTY command-line window.

3.    Press and hold Ctrl+D to exit cat and return to the command session prompt.

Verify that you can use SSH to connect to your instance

To verify that you can connect to your EC2 instance via SSH as new_user, run the following command from the command line on your local computer:

ssh -i /path/new_key_pair.pem new_user@public_dns_name_of_EC2_Linux_instance

To connect to your EC2 Linux instance using SSH from Windows, follow the steps at Connecting to Your Linux Instance from Windows Using PuTTY.

After you connect to your instance as new_user by using SSH, run the following command from the EC2 instance command line to view the user and group information created for the new_user account:

id

This command returns information similar to the following:

uid=1004(new_user) gid=1004(new_user) groups=1004(new_user)

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2017-02-21

Updated: 2018-03-30