Users + groups cheatsheet.
User management
useradd -m -s /bin/bash alice
useradd -m -s /bin/bash -G sudo,docker alice
userdel alice
userdel -r alice # also home
usermod -aG docker alice # add to group (CAREFUL: -a is critical!)
usermod -s /bin/zsh alice
usermod -L alice # lock
usermod -U alice # unlock
Passwords
passwd alice # interactive
passwd -d alice # no password (login disabled if not in shadow)
passwd -l alice # lock
chpasswd << EOF
alice:newpassword
EOF
Groups
groupadd devs
groupdel devs
gpasswd -a alice devs # add user
gpasswd -d alice devs # remove
groups alice
id alice
getent group devs
/etc/passwd
alice:x:1000:1000:Alice:/home/alice:/bin/bash
User : x (shadow) : UID : GID : info : home : shell.
/etc/shadow
alice:$y$j9T...:19000:0:99999:7:::
User : hash : last-change : min : max : warn : inactive : expire.
/etc/group
devs:x:1001:alice,bob
sudo
sudo cmd
sudo -i # root shell
sudo -u alice cmd
sudo -E cmd # preserve env
sudo !! # run last with sudo
/etc/sudoers
# Use visudo to edit safely
alice ALL=(ALL:ALL) ALL
%sudo ALL=(ALL:ALL) ALL # group sudo
alice ALL=(ALL) NOPASSWD: ALL # no password
deploy ALL=(www-data) NOPASSWD: /opt/deploy.sh
Best: drop file in /etc/sudoers.d/:
visudo -f /etc/sudoers.d/deploy
SSH keys
# Generate
ssh-keygen -t ed25519 -C "[email protected]"
# Files: ~/.ssh/id_ed25519 (private), .pub (public)
# Copy to server
ssh-copy-id alice@host
# Or manually:
cat ~/.ssh/id_ed25519.pub | ssh alice@host "mkdir -p .ssh && cat >> .ssh/authorized_keys"
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
ssh config
# ~/.ssh/config
Host server1
HostName server1.example.com
User alice
Port 2222
IdentityFile ~/.ssh/id_ed25519
ForwardAgent yes
Host *
ServerAliveInterval 60
ServerAliveCountMax 3
ssh agent
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519
ssh-add -l # listed keys
ssh-add -D # forget all
sshd hardening
# /etc/ssh/sshd_config
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding no
AllowUsers alice bob
MaxAuthTries 3
LoginGraceTime 30
sshd -t # test config
systemctl restart sshd
Switch user
su alice # only env, not full login
su - alice # full login
sudo -u alice -i # better
who / w / last
who # logged-in users
w # what they're doing
last # login history
lastb # bad attempts
chage (password aging)
chage -l alice
chage -E 2026-06-01 alice # expire account
chage -M 90 alice # max 90 days between changes
Login restrictions
/etc/security/limits.conf:
alice hard nproc 100
alice soft nofile 4096
@devs hard cpu 60
PAM
/etc/pam.d/ — auth modules. Typically configured by tools (fail2ban, sssd).
Default shell
chsh -s /bin/zsh alice
Home dir templates
/etc/skel/ # copied to new user's home
Force password change
chage -d 0 alice
User must change at next login.
Lock vs disable
usermod -L: prevents password login (PAM may still allow keys).chage -E 0: disables account fully.usermod -s /sbin/nologin: no shell.
ACL (named user permissions on file)
setfacl -m u:alice:rwx file
See files cheatsheet.
Common mistakes
usermod -Gwithout-a→ replaces groups.- Editing /etc/sudoers directly → syntax error locks out sudo. Use
visudo. - Allowing root login over SSH.
- Password-only auth.
- Sharing SSH keys among multiple users.
Read this next
If you want my user provisioning + SSH hardening playbook, it’s at rajpoot.dev .
Building something AI-, backend-, or data-heavy and want a second pair of eyes? I do consulting and freelance work — see my projects and ways to reach me at rajpoot.dev .