[转]AWS - Managing User Accounts on Your Linux Instance

Each Linux instance type launches with a default Linux system user account. For Amazon Linux, the user name is ec2-user. For RHEL5, the user name is either root or ec2-user. For Ubuntu, the user name is ubuntu. For Fedora, the user name is either fedora or ec2-user. For SUSE Linux, the user name is root. Otherwise, if ec2-user and root don't work, check with your AMI provider.

Note

Linux system users should not be confused with AWS Identity and Access Management (IAM) users. For more information, see IAM Users and Groups in the Using IAM guide.

Using the default user account is adequate for many applications, but you may choose to add user accounts so that individuals can have their own files and workspaces. Creating user accounts for new users is much more secure than granting multiple (possibly inexperienced) users access to the ec2-user account, since that account can cause a lot of damage to a system when used improperly.

To add a new user to the system

Effectively adding users to a Linux instance involves two basic operations: adding the user to the system, and providing that user with a way to log in remotely.

1. To add a new user to the system, use the adduser command followed by any relevant options and the name of the user you wish to create.

   Important

   If you are adding a user to an Ubuntu system, you should add the --disabled-password option to avoid adding a password to the account.

   [ec2-user ~]$ sudo adduser newuser

   This command adds the newuser account to the system (with an entry in the /etc/passwd file), creates a newuser group, and creates a home directory for the account in /home/newuser.

2. To provide remote access to this account, you must create a .ssh directory in the newuser home directory and create a file within it named "authorized_keys" that contains a public key.

   1. Switch to the new account so that newly created files have the proper ownership.

      [ec2-user ~]$ sudo su - newuser
      [newuser ~]$
      

      Note that the prompt now says newuser instead of ec2-user; you have switched the shell session to the new account.

   2. Create a .ssh directory for the authorized_keys file.

      [newuser ~]$ mkdir .ssh

   3. Change the file permissions of the .ssh directory to 700 (this means only the file owner can read, write, or open the directory).

      Important

      This step is very important; without these exact file permissions, you will not be able to log into this account using SSH.

      [newuser ~]$ chmod 700 .ssh

   4. Create a file named "authorized_keys" in the .ssh directory.

      [newuser ~]$ touch .ssh/authorized_keys

   5. Change the file permissions of the authorized_keys file to 600 (this means only the file owner can read or write to the file).

      Important

      This step is very important; without these exact file permissions, you will not be able to log into this account using SSH.

      [newuser ~]$ chmod 600 .ssh/authorized_keys

   6. Edit the authorized_keys file with your favorite text editor and paste the public key for your key pair into the file, for example:

      ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClKsfkNkuSevGj3eYhCe53pcjqP3maAhDFcvBS7O6V
      hz2ItxCih+PnDSUaw+WNQn/mZphTk/a/gU8jEzoOWbkM4yxyb/wB96xbiFveSFJuOp/d6RJhJOI0iBXr
      lsLnBItntckiJ7FbtxJMXLvvwJryDUilBMTjYtwB+QhYXUMOzce5Pjz5/i8SeJtjnV3iAoG/cQk+0FzZ
      qaeJAAHco+CY/5WrUBkrHmFJr6HcXkvJdWPkYQS3xqC0+FmUZofz221CBt5IMucxXPkX4rWi+z7wB3Rb
      BQoQzd8v7yeb7OzlPnWOyN0qFU0XA246RA8QFYiCNYwI3f05p6KLxEXAMPLE

      Note

      For more information about creating a key pair or retrieving a public key from an existing key pair, see Amazon EC2 Key Pairs

You should now be able to log into the newuser account on your instance via SSH using the private key that matches the public key from Step 2.f.

To remove a user from the system

If a user account is no longer needed, you can remove that account so that it may no longer be used.

• To delete a user account, the user's home directory, and the user's mail spool, execute the userdel -r command followed by the user name you wish to delete.

  [ec2-user ~]$ sudo userdel -r olduser

  Note

  To keep the user's home directory and mail spool, omit the -r option.

 

转自：http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/managing-users.html