{"id":688,"date":"2026-02-12T20:58:23","date_gmt":"2026-02-13T04:58:23","guid":{"rendered":"https:\/\/blog.iabsolute.com\/?p=688"},"modified":"2026-02-12T20:58:23","modified_gmt":"2026-02-13T04:58:23","slug":"add-users-for-ssh-google-cloud","status":"publish","type":"post","link":"https:\/\/blog.iabsolute.com\/?p=688","title":{"rendered":"add users for ssh Google Cloud"},"content":{"rendered":"\n<p>Yes \ud83d\udc4d exactly \u2014 if in the future you want to add a <strong>second upload user<\/strong>, you just repeat the same process.<\/p>\n\n\n\n<p>Since you already have:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u2705 damon = admin<\/li>\n\n\n\n<li>\ud83d\udd12 christak = jailed upload user<\/li>\n\n\n\n<li>\ud83d\udcc2 Shared group = webgroup<\/li>\n\n\n\n<li>\ud83c\udfd7 Jail root = \/var\/www\/html<\/li>\n<\/ul>\n\n\n\n<p>Adding a new person is very simple \ud83d\udc47<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><strong>\ud83d\ude80 Add New Upload User (Example: john)<\/strong><\/p>\n\n\n\n<p><strong>\u2705 1\ufe0f<\/strong><strong>\u20e3 Create user<\/strong><\/p>\n\n\n\n<p>sudo useradd john<\/p>\n\n\n\n<p>sudo passwd john<\/p>\n\n\n\n<p>(or skip password if using SSH key only)<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><strong>\u2705 2\ufe0f<\/strong><strong>\u20e3 Add to webgroup<\/strong><\/p>\n\n\n\n<p>sudo usermod -aG webgroup john<\/p>\n\n\n\n<p>Check:<\/p>\n\n\n\n<p>groups john<\/p>\n\n\n\n<p>Should show:<\/p>\n\n\n\n<p>john : john webgroup<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><strong>\u2705 3\ufe0f<\/strong><strong>\u20e3 Add SSH Key (if using PKK)<\/strong><\/p>\n\n\n\n<p>sudo mkdir \/home\/john\/.ssh<\/p>\n\n\n\n<p>sudo nano \/home\/john\/.ssh\/authorized_keys<\/p>\n\n\n\n<p>Paste public key.<\/p>\n\n\n\n<p>Fix permissions:<\/p>\n\n\n\n<p>sudo chown -R john:john \/home\/john\/.ssh<\/p>\n\n\n\n<p>sudo chmod 700 \/home\/john\/.ssh<\/p>\n\n\n\n<p>sudo chmod 600 \/home\/john\/.ssh\/authorized_keys<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><strong>\u2705 4\ufe0f<\/strong><strong>\u20e3 SSH Jail Already Covers Him (Important)<\/strong><\/p>\n\n\n\n<p>If your sshd_config contains:<\/p>\n\n\n\n<p>Match Group webgroup<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp; ChrootDirectory \/var\/www\/html<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp; ForceCommand internal-sftp<\/p>\n\n\n\n<p>Then you DO NOT need to edit sshd again.<\/p>\n\n\n\n<p>Because:<\/p>\n\n\n\n<p>\ud83d\udc49 Any user in webgroup automatically gets jailed.<\/p>\n\n\n\n<p>Just restart SSH (only if you changed something):<\/p>\n\n\n\n<p>sudo systemctl restart sshd<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><strong>\ud83c\udfaf Final Result<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><td><strong>User<\/strong><\/td><td><strong>Admin<\/strong><\/td><td><strong>Jail<\/strong><\/td><td><strong>Upload<\/strong><\/td><\/tr><\/thead><tbody><tr><td>damon<\/td><td>\u2705<\/td><td>\u274c<\/td><td>\u2705<\/td><\/tr><tr><td>christak<\/td><td>\u274c<\/td><td>\u2705<\/td><td>\u2705<\/td><\/tr><tr><td>john<\/td><td>\u274c<\/td><td>\u2705<\/td><td>\u2705<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><strong>\ud83d\udd25 Pro Tip (Very Clean Setup)<\/strong><\/p>\n\n\n\n<p>Using:<\/p>\n\n\n\n<p>Match Group webgroup<\/p>\n\n\n\n<p>is better than:<\/p>\n\n\n\n<p>Match User christak<\/p>\n\n\n\n<p>Because now you can add unlimited upload users without touching sshd_config again.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>If you want next level security, I can also show you:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Separate folders per user inside \/uploads<\/li>\n\n\n\n<li>Read-only user option<\/li>\n\n\n\n<li>Auto-set file permissions for Apache<\/li>\n<\/ul>\n\n\n\n<p>Just tell me \ud83d\udc4d<\/p>\n\n\n\n<p>so can you show me step by step again from the flesh with authorized_key so i like start now<\/p>\n\n\n\n<p>Yep \u2014 here is the <strong>full step-by-step from fresh<\/strong>, for <strong>CentOS Stream 10 + WinSCP SFTP + authorized_keys<\/strong>, with:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>damon stays admin<\/li>\n\n\n\n<li>Upload users are jailed to \/var\/www\/html<\/li>\n\n\n\n<li>Upload allowed only in \/var\/www\/html\/uploads<\/li>\n\n\n\n<li>Key auth only (no password)<\/li>\n\n\n\n<li>No SSH shell<\/li>\n<\/ul>\n\n\n\n<p>I\u2019ll show it as copy\/paste blocks.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><strong>0) Safety check (do this first)<\/strong><\/p>\n\n\n\n<p>Keep your current SSH session open while testing, so you don\u2019t lock yourself out.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><strong>1) Create the upload group<\/strong><\/p>\n\n\n\n<p>sudo groupadd webgroup<\/p>\n\n\n\n<p>(if it says already exists, that\u2019s fine)<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><strong>2) Create the upload user (example: christak)<\/strong><\/p>\n\n\n\n<p>sudo useradd -m -s \/sbin\/nologin -G webgroup christak<\/p>\n\n\n\n<p>Notes:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>-m creates \/home\/christak<\/li>\n\n\n\n<li>-s \/sbin\/nologin prevents shell login (extra safety)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><strong>3) Set up authorized_keys for that user<\/strong><\/p>\n\n\n\n<p><strong>3.1 Create .ssh and file<\/strong><\/p>\n\n\n\n<p>sudo mkdir -p \/home\/christak\/.ssh<\/p>\n\n\n\n<p>sudo nano \/home\/christak\/.ssh\/authorized_keys<\/p>\n\n\n\n<p>Paste <strong>ONE LINE<\/strong> public key (starts with ssh-rsa or ssh-ed25519), save and exit.<\/p>\n\n\n\n<p><strong>3.2 Fix permissions (IMPORTANT)<\/strong><\/p>\n\n\n\n<p>sudo chown -R christak:christak \/home\/christak\/.ssh<\/p>\n\n\n\n<p>sudo chmod 700 \/home\/christak\/.ssh<\/p>\n\n\n\n<p>sudo chmod 600 \/home\/christak\/.ssh\/authorized_keys<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><strong>4) Prepare the chroot (jail) folder structure<\/strong><\/p>\n\n\n\n<p><strong>4.1 Chroot root must be owned by root<\/strong><\/p>\n\n\n\n<p>sudo chown root:root \/var\/www\/html<\/p>\n\n\n\n<p>sudo chmod 755 \/var\/www\/html<\/p>\n\n\n\n<p><strong>4.2 Create upload folder inside jail<\/strong><\/p>\n\n\n\n<p>sudo mkdir -p \/var\/www\/html\/uploads<\/p>\n\n\n\n<p>sudo chown root:webgroup \/var\/www\/html\/uploads<\/p>\n\n\n\n<p>sudo chmod 770 \/var\/www\/html\/uploads<\/p>\n\n\n\n<p>Now upload users in webgroup can write only to \/uploads.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><strong>5) Lock down SSH for that group (SFTP-only jail)<\/strong><\/p>\n\n\n\n<p>Edit SSH config:<\/p>\n\n\n\n<p>sudo nano \/etc\/ssh\/sshd_config<\/p>\n\n\n\n<p>Add this <strong>at the very bottom<\/strong>:<\/p>\n\n\n\n<p>Match Group webgroup<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp; ChrootDirectory \/var\/www\/html<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp; ForceCommand internal-sftp<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp; PasswordAuthentication no<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp; PubkeyAuthentication yes<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp; X11Forwarding no<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp; AllowTcpForwarding no<\/p>\n\n\n\n<p>If you have PasswordAuthentication yes earlier in the file, that\u2019s OK \u2014 the Match block overrides for webgroup.<\/p>\n\n\n\n<p>Restart SSH:<\/p>\n\n\n\n<p>sudo systemctl restart sshd<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><strong>6) SELinux fix (CentOS often needs this)<\/strong><\/p>\n\n\n\n<p>Run:<\/p>\n\n\n\n<p>sudo restorecon -R \/var\/www\/html<\/p>\n\n\n\n<p>If Apache must write to uploads later:<\/p>\n\n\n\n<p>sudo chcon -R -t httpd_sys_rw_content_t \/var\/www\/html\/uploads<\/p>\n\n\n\n<p>(That lets the web server write into \/uploads.)<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><strong>7) Remove dangerous groups from christak (upload user should NOT be admin)<\/strong><\/p>\n\n\n\n<p>sudo gpasswd -d christak google-sudoers 2&gt;\/dev\/null<\/p>\n\n\n\n<p>sudo gpasswd -d christak wheel 2&gt;\/dev\/null<\/p>\n\n\n\n<p>sudo gpasswd -d christak docker 2&gt;\/dev\/null<\/p>\n\n\n\n<p>sudo gpasswd -d christak lxd 2&gt;\/dev\/null<\/p>\n\n\n\n<p>sudo gpasswd -d christak adm 2&gt;\/dev\/null<\/p>\n\n\n\n<p>Check final groups:<\/p>\n\n\n\n<p>groups christak<\/p>\n\n\n\n<p>You want something like:<\/p>\n\n\n\n<p>christak : christak webgroup<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><strong>8) Test with WinSCP<\/strong><\/p>\n\n\n\n<p>WinSCP settings:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>File protocol: <strong>SFTP<\/strong><\/li>\n\n\n\n<li>Host: your server IP<\/li>\n\n\n\n<li>Port: <strong>22<\/strong><\/li>\n\n\n\n<li>User: christak<\/li>\n\n\n\n<li>Advanced \u2192 SSH \u2192 Authentication \u2192 choose your <strong>private key<\/strong> (.ppk)<\/li>\n<\/ul>\n\n\n\n<p>\u2705 After login, christak should see:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\/uploads (and upload files there)<br>\u274c Should NOT see \/etc, \/root, \/var\/log, etc.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><strong>9) Add a second upload user later (same steps, shorter)<\/strong><\/p>\n\n\n\n<p>For user2:<\/p>\n\n\n\n<p>sudo useradd -m -s \/sbin\/nologin -G webgroup user2<\/p>\n\n\n\n<p># add \/home\/user2\/.ssh\/authorized_keys + perms<\/p>\n\n\n\n<p>No need to change sshd_config again.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>If you paste:<\/p>\n\n\n\n<ol class=\"wp-block-list\" type=\"1\" start=\"1\">\n<li>the last ~30 lines of your \/etc\/ssh\/sshd_config (just the Match block area), and<\/li>\n\n\n\n<li>output of ls -ld \/var\/www\/html \/var\/www\/html\/uploads<\/li>\n<\/ol>\n\n\n\n<p>I\u2019ll confirm everything is perfect before you test WinSCP.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Yes \ud83d\udc4d exactly \u2014 if in the future you want to add a second upload user, you just repeat the same process. Since you already have: Adding a new person is very simple \ud83d\udc47 \ud83d\ude80 Add New Upload User (Example: &hellip; <a href=\"https:\/\/blog.iabsolute.com\/?p=688\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25,10,2],"tags":[],"class_list":["post-688","post","type-post","status-publish","format-standard","hentry","category-apache","category-centos","category-my-linux"],"_links":{"self":[{"href":"https:\/\/blog.iabsolute.com\/index.php?rest_route=\/wp\/v2\/posts\/688","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.iabsolute.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.iabsolute.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.iabsolute.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.iabsolute.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=688"}],"version-history":[{"count":1,"href":"https:\/\/blog.iabsolute.com\/index.php?rest_route=\/wp\/v2\/posts\/688\/revisions"}],"predecessor-version":[{"id":689,"href":"https:\/\/blog.iabsolute.com\/index.php?rest_route=\/wp\/v2\/posts\/688\/revisions\/689"}],"wp:attachment":[{"href":"https:\/\/blog.iabsolute.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=688"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.iabsolute.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=688"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.iabsolute.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=688"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}