Skip to content

Multi-tenant VPS

Published:

Let’s assume we are working with a VPS with a single user account with sudo privileges. The goal is to add a new tenant with a separate account, home and ssh access.

Create a new user

First of all, we need to create a new user. The following command can be used:

sudo adduser -m -s /bin/bash <tenant_name>

Note

If the -s flag is not specified, the default shell will be used. To check which shells are available use cat /etc/shells. To change shell use chsh -s <shell> <tenant_name>.

Set user password

To set a password for the new user, use the following command:

sudo passwd <tenant_name>

Add user to sudoers [optional]

If you want to grant sudo privileges to the new user, you can add it to the sudoers file. This makes the user able to run commands as a super user, and should be avoided if not strictly necessary.

sudo usermod -aG sudo <tenant_name>

Change current user

To change the current user, use the following command:

su - <tenant_name>
# Make sure to be in the right home directory
cd ~

Make sure the authorized_keys file is present

The authorized_keys file is used to store the public keys of the users that can access the server via ssh. If the file is not present, create it:

# Make sure the .ssh directory is present
mkdir -p ~/.ssh
# Make sure the authorized_keys file is present
touch ~/.ssh/authorized_keys
# Set the correct permissions for the .ssh directory: only the user can do anything
chmod 700 ~/.ssh
# Set the correct permissions for the authorized_keys file: only the user can read or write
chmod 600 ~/.ssh/authorized_keys

Create a new ssh key pair

To create a new ssh key pair, use the following command and follow the step-by-step instructions:

ssh-keygen -t rsa -b 4096 -C "<tenant_name>"

Two files will be created:

Make sure the permissions for the private key are correct:

chmod 600 ~/.ssh/id_rsa

Warning

By default, the key will be saved as ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub. If you want to save it in a different location, use the -f flag or specify the full path when running the command.

During the creation of the key pair, you will be asked to specify a passphrase as an extra layer of security.
If you want to avoid typing the passphrase every time you use the key, you can leave it empty. Otherwise, anyone who may want to use the key will have to type the passphrase each time it is used.

Warning

The private key must be kept secret. If it is compromised, the attacker will be able to access the server.

Add the public key to the authorized_keys file

If you are already on the same VPS you intend log into, to add the public key to the authorized_keys file, use the following command:

cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

Otherwise, copy the content of the public key file and append it in the authorized_keys file.

Test the ssh connection

To test the ssh connection, use the following command:

ssh <tenant_name>@<server_ip> -i ~/.ssh/id_rsa

To avoid typing the private key path every time, you can add it to the ssh config file:

# Make sure the .ssh directory is present
mkdir -p ~/.ssh
# Make sure the config file is present
touch ~/.ssh/config
# Set the correct permissions for the .ssh directory: only the user can do anything
chmod 700 ~/.ssh
# Set the correct permissions for the config file: only the user can read or write
chmod 600 ~/.ssh/config

Then, add the following lines to the config file:

# ~/.ssh/config
Host <server_name>
    User <tenant_name>
    HostName <server_ip>
    IdentityFile ~/.ssh/id_rsa

Note

The <server_name> can be anything. It is used to identify the server in the config file and to connect to it.

Now you can use the following command to test the ssh connection:

ssh <server_name>

Delete user

To delete a user, use the following command:

sudo deluser -r <tenant_name>

References