User configuration and management in Linux VPS

Basic account model (1 minute of theory)

Users: /etc/passwd (UID, GID, shell, $HOME).
Password hashes: /etc/shadow (root only).
Groups: /etc/group (GID and members).
Home directories — usually /home/<user>, initial content template — /etc/skel.

Creating a user

1. Convenient adduser wizard (Debian/Ubuntu)

				
					sudo adduser alice
# The wizard will ask for a password and profile, create /home/alice, and copy files from /etc/skel.

2. “Low-level” via useradd (universal)

				
					# стандартний home і bash
sudo useradd -m -s /bin/bash alice
sudo passwd alice

Custom home + rights:

				
					sudo mkdir -p /srv/users/alice
sudo cp -rT /etc/skel /srv/users/alice
sudo useradd -d /srv/users/alice -s /bin/bash alice
sudo chown -R alice:alice /srv/users/alice
sudo passwd alice

Verification:

				
					getent passwd alice
sudo -u alice -H bash -lc 'whoami && pwd'

Groups and roles

Adding to additional groups

				
					sudo usermod -aG sudo,adm alice
id alice
groups alice

Removing from a group

				
					sudo gpasswd -d alice adm

Role group for the project/service

				
					sudo groupadd deploy
sudo usermod -aG deploy alice

Secure sudo (via visudo and /etc/sudoers.d)

Edit rules only via visudo — validates syntax and saves you from the admin panel “brick.”

				
					# preferably — a separate user file
sudo visudo -f /etc/sudoers.d/alice

Full sudo (as in the sudo group):

				
					alice  ALL=(ALL:ALL) ALL

Minimum privileges (example for nginx):

				
					Cmnd_Alias NGINX_CMDS = /bin/systemctl restart nginx, /bin/systemctl status nginx, /bin/journalctl -u nginx
alice ALL=(root) NOPASSWD: NGINX_CMDS

Tips

Issue permissions through a group whenever possible:
%webadmins ALL=(root) NOPASSWD: NGINX_CMDS → add users to webadmins.
NOPASSWD — only where automation is needed.

Password policy (password aging) and complexity

Individual terms via chage

				
					# current status
sudo chage -l alice
# maximum 90 days, warn 7 days in advance, do not change more often than once a day
sudo chage -M 90 -W 7 -m 1 alice
# deactivate by date
sudo chage -E 2025-12-31 alice

Defaults for new users (login.defs)

				
					/etc/login.defs:
PASS_MAX_DAYS   90
PASS_MIN_DAYS   1
PASS_WARN_AGE   7

Password complexity (PAM, Ubuntu/Debian)

Install libpam-pwquality and configure /etc/pam.d/common-password, for example:

				
					password requisite pam_pwquality.so retry=3 minlen=12 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1

SSH keys and SSH restrictions

Add a public key to a user

				
					sudo -u alice -H bash -lc “mkdir -p ~/.ssh && chmod 700 ~/.ssh”
sudo -u alice -H bash -lc “cat >> ~/.ssh/authorized_keys” # paste the contents of *.pub, then Ctrl+D
sudo -u alice -H bash -lc “chmod 600 ~/.ssh/authorized_keys”

Restrict access in sshd_config

				
					# when keys are configured — disable passwords
PasswordAuthentication no
PubkeyAuthentication yes

# prohibit direct root login (after issuing sudo to administrators)
PermitRootLogin no

# restrict access by group
AllowGroups sshusers

sudo groupadd sshusers
sudo usermod -aG sshusers alice
sudo systemctl restart sshd

“Technical” user without shell

				
					sudo useradd -m -s /usr/sbin/nologin backupbot

Collaborative work in a directory (group + ACL)

setgid on the project directory (group inheritance)

				
					sudo mkdir -p /srv/project
sudo chgrp project /srv/project
sudo chmod 2775 /srv/project

Point ACLs (if rights beyond the standard are required)

				
					sudo setfacl -m u:bob:rwx /srv/project
sudo getfacl /srv/project

Audit and debugging of inputs

				
					# successful logins
last -n 10
# who is in the system
w
who
# failed attempts (if faillog is active)
faillog -a

# SSH logs for today
sudo journalctl -u ssh --since “today”
sudo journalctl -u ssh --grep “Failed password”

Blocking and deleting accounts

				
					# lock password (key login can remain)
sudo usermod -L alice
# unlock
sudo usermod -U alice

# immediate deactivation (expired)
sudo chage -E 0 alice

# terminate processes and delete account from home
sudo pkill -KILL -u alice
sudo userdel -r alice
# (Debian/Ubuntu is convenient:)
sudo deluser --remove-home alice

Production readiness checklist

User created, $HOME and shell are correct, SSH key added.
Role-based groups assigned (sudo/adm/www-data/docker/…).
sudo issued via /etc/sudoers.d with minimal privileges.
Password policy: chage/login.defs/PAM configured.
Passwords and root login are disabled in SSH; AllowGroups sshusers restriction is enabled.
Setgid and, if necessary, setfacl are configured for projects.
Logins are audited; there is an offboarding procedure (lock → kill → backup → remove).