Admin /

SSH Administration

Create a new user on the system. When prompted: use the username from the .pub filename, select ksh as the shell, accept the default login group (own username), add the user to the secondary groups users, guest and games, and choose y to disable password logins.

doas adduser

Enter username []:                         # use the name from the .pub file
Enter full name []:                        # user's full name
Enter shell csh ksh nologin sh [ksh]:      # press Enter to accept ksh
Uid []:                                    # press Enter to accept next available
Login group username [username]:           # press Enter to accept own group
Invite username into other groups: guest no [no]: users guest games
Login class [...] [default]:               # press Enter to accept default
Enter password []:                         # press Enter, no password
Disable password logins for the user? (y/n) [n]: y

The home directory is created from /etc/skel with permissions 755 by default. On a shared system every user's home must be private. Lock it down immediately after account creation:

chmod 700 /home/username

Create the SSH directory and authorized_keys file with correct ownership and permissions in a single step, then install the public key from the administrator's .pub file — the filename is the username:

install -d -m 700 -o username -g username /home/username/.ssh
install -m 600 -o username -g username /dev/null /home/username/.ssh/authorized_keys
cat username.pub >> /home/username/.ssh/authorized_keys

Verify the account: groups must show users, guest and games; home directory must be drwx------; .ssh must be drwx------; authorized_keys must be 'rw------'.

id username
ls -la /home/username
ls -la /home/username/.ssh