I’ve written about deploying code to remote servers, SSH keys, and remote user security a few times now. However, it’s been brought to my attention that I’ve never covered some of the basics; namely, how I put all of this together when creating a “deploy” user on a remote Linux system. Well, as the old proverb goes, the best time to plant a tree was 20 years ago, the second best time is now. With that in mind, let’s take the time now to go over the steps used to create a new user on a Linux system to be used solely for code deployments.
Why Should You Create a Deploy User?
The main benefits of using a dedicated deploy user are security and easier access management. Security is benefited by removing the need to share root or other user access, essentially siloing the entire deployment process on the remote server. Access management is made easier (and more secure) because you can grant or restrict access by adding or removing users’ public SSH keys.
The main thing you will need for this tutorial is an SSH keypair for the machine(s) that you are deploying from. If you do not have one yet, I’ve covered the steps to generate an SSH keypair previously.
0. Copy Your Public SSH Key
In a later step, you will need your development machine’s (or whatever machine you’re deploying from) public SSH key. Go ahead and copy it down now.
Be sure to copy your key exactly. If you add spaces or leave out characters it will not work.
1. Creating the Deploy User
1. To begin, login to the remote system (that is, the system you are deploying to), and become root. Then issue
useradd to create the deploy user:
useradd --create-home -s /bin/bash deploy
This will add a new user named
deploy, create a home directory for it (
/home/deploy), and give it a login shell (
Next, you need to create a password for the deploy user. If you don’t create a password the account will remain “locked” and you won’t be able to login. Note, however, that the password is never actually used. Since the password is never used for anything, I recommend setting it to a long, random string. If you need a password, here’s one that was randomly generated:
passwd to set a password:
3. After you’ve set the deploy user’s password, you need to create a directory and file for the authorized SSH keys. The
authorized_keys file holds the public keys of the machines you will be deploying from.
2. Adding Your SSH Key
Assuming that you have disabled password logins for SSH, you won’t be able to use
ssh-copy-id to copy your SSH key. As such, you will need to manually add your key (that you copied during the first step).
1. Open the
authorized_keys file you created in the previous step:
2. Paste your public SSH key exactly as you copied it. If you have multiple keys from multiple machines then paste one key per line.
3. Save and close the
authorized_keys file, then
chmod it to lock it down:
chown -R deploy. /home/deploy
chmod 600 /home/deploy/.ssh/authorized_keys
3. Test Everything
If all went as planned, you should now be able to login to your remote server using the
deploy user. Let’s test and see. Try logging in from your development/deployment machine:
You should now be logged into the remote machine as
deploy. If you are prompted for a password or receive a
Permission denied (publickey) error then it’s likely you copied/pasted your SSH key wrong.
A Note About Permissions
Depending on how your remote server is setup, you may run into permission issues when trying to deploy. This is likely because your web files are owned by a user like
www-data, and the
deploy user doesn’t have permission to modify them. The easiest way I’ve found around this is to add the
deploy user to the
www-data group and then chmod the files to allow group access. For example:
usermod -a -G www-data deploy
chmod -R 775 /var/www
Of course, you might need to change
/var/www to match your setup.