Add a Deploy User to a Remote Linux Server

I’ve written about deploying code to remote servers, SSH keys, and remote user security a few times now. However, it’s been brought to my attention that I’ve never covered some of the basics; namely, how I put all of this together when creating a “deploy” user on a remote Linux system. Well, as the old proverb goes, the best time to plant a tree was 20 years ago, the second best time is now. With that in mind, let’s take the time now to go over the steps used to create a new user on a Linux system to be used solely for code deployments.

Why Should You Create a Deploy User?

The main benefits of using a dedicated deploy user are security and easier access management. Security is benefited by removing the need to share root or other user access, essentially siloing the entire deployment process on the remote server. Access management is made easier (and more secure) because you can grant or restrict access by adding or removing users’ public SSH keys.

Requirements

The main thing you will need for this tutorial is an SSH keypair for the machine(s) that you are deploying from. If you do not have one yet, I’ve covered the steps to generate an SSH keypair previously.

0. Copy Your Public SSH Key

In a later step, you will need your development machine’s (or whatever machine you’re deploying from) public SSH key. Go ahead and copy it down now.

Be sure to copy your key exactly. If you add spaces or leave out characters it will not work.

1. Creating the Deploy User

1. To begin, login to the remote system (that is, the system you are deploying to), and become root. Then issue useradd to create the deploy user:

This will add a new user named deploy, create a home directory for it (/home/deploy), and give it a login shell (/bin/bash).

Next, you need to create a password for the deploy user. If you don’t create a password the account will remain “locked” and you won’t be able to login. Note, however, that the password is never actually used. Since the password is never used for anything, I recommend setting it to a long, random string. If you need a password, here’s one that was randomly generated: e70021f698d0770b9d2deb51fa7da85a3a70227a9027432f

2. Use passwd to set a password:

3. After you’ve set the deploy user’s password, you need to create a directory and file for the authorized SSH keys. The authorized_keys file holds the public keys of the machines you will be deploying from.

2. Adding Your SSH Key

Assuming that you have disabled password logins for SSH, you won’t be able to use ssh-copy-id to copy your SSH key. As such, you will need to manually add your key (that you copied during the first step).

1. Open the authorized_keys file you created in the previous step:

2. Paste your public SSH key exactly as you copied it. If you have multiple keys from multiple machines then paste one key per line.

3. Save and close the authorized_keys file, then chown and chmod it to lock it down:

3. Test Everything

If all went as planned, you should now be able to login to your remote server using the deploy user. Let’s test and see. Try logging in from your development/deployment machine:

You should now be logged into the remote machine as deploy. If you are prompted for a password or receive a Permission denied (publickey) error then it’s likely you copied/pasted your SSH key wrong.

A Note About Permissions

Depending on how your remote server is setup, you may run into permission issues when trying to deploy. This is likely because your web files are owned by a user like www-data, and the deploy user doesn’t have permission to modify them. The easiest way I’ve found around this is to add the deploy user to the www-data group and then chmod the files to allow group access. For example:

Of course, you might need to change www-data and /var/www to match your setup.

Leave a Reply

Your email address will not be published. Required fields are marked *

×Mike Everhart

Need Some More Help? Let's Talk!

I'd love to work with you! Fill out the form below to schedule a free consultation to discuss your needs and how I can help.

Need More Help?