Linux Tutorial
This tutorial is intended as a basic introduction to Linux for users of CAC's Linux resources, especially those who are managing Red Cloud services and are creating or using a Linux Instance. There are two Linux distributions (AKA distros) available for Images on Red Cloud: Ubuntu, Rocky, and CentOS. In this tutorial, you will learn how to add a user, install software using the distribution's package manager, and enable remote password logins, along with a number of related tips. The tutorial begins with common commands between both distributions, followed by sections for the specific commands you are likely to need on Ubuntu and Rocky/CentOS. While many commands are identical across Linux systems, there are some areas that will differ from distribution to distribution, such as package management, service control, and (to a lesser extent) user management.
If you want more help with Linux, you may find the Introduction to Linux topic on the Cornell Virtual Workshop useful. For a really thorough treatment, including guidance on how to write scripts in bash, you can check out "Learning the Bash Shell" from the Cornell Library (available as an e-book).
Definitions
This section contains some basic working definitions to help you through this tutorial if you have never used Linux before. This list and the definitions in it should not be considered authoritative.
directory - folder
path - the sequence of directories leading to a particular subdirectory or file
shell (A.K.A. console or terminal) - a text-only user interface for interacting with an operating system's programs and services. This is where commands are entered.
command - a task for the computer to execute that is entered via the shell
environment - the set of all variables defined in the current shell. The special environment variable PATH shows the sequence of paths that will be searched to find the commands that you enter.
package - an archive of software and metadata that can be downloaded, installed, and removed via a package manager
root - the system administrative account with all the highest privileges, also known as the superuser. By default, most Linux distros have a single root account when installed, and no user accounts.
sudo - a program that allows a user to run commands with the privileges of another user, most often the root or superuser account. This is typically used by typing sudo before a command.
root directory - the top-level directory of the system, denoted /
(forward slash). It is the start of most paths. This is not the same as the root user.
home directory - the top-level directory of the user, denoted ~
(tilde). It is the start of most paths where the user will store work.
Basic Useful Commands
This list is not comprehensive, but rather a starting point.
pwd
print working directory - specifically, print the full path to the current working directory
ls
list directory contents
cd
change directory
Example: cd ~
will take you to your home directory
mkdir <name>
make a directory with the specified name
man <command>
display a manual page for the specified command
which <command>
show the full path to the given command, as found from the paths in the PATH environment variable
history
display a list of commands that have been executed via the terminal
cp
copy item(s)
Example: cp file1 d1
will copy file1 to a file named d1 (possibly overwriting d1); or if d1 is a directory, file1 will be copied into d1.
mv
rename item, or move item(s) into a directory
Example: mv file1 d1
will rename file1 to d1 (possibly overwriting d1); or if d1 is a directory, file1 will be moved into d1.
rm
remove, or delete, file(s)
rmdir
remove one or more empty directories
cat <file>
output (concatenate) the contents of a file to the terminal, with many other options available (check out man cat
for more info)
less <file>
output the contents of a file one screenful at a time, with page-advance (spacebar) and search (/) functions. The more
command works similarly but without the search function (less is more commonly used).
grep <pattern> <file>
print lines from the file that match the specified pattern. To search multiple files, use the *
wildcard. To search a directory tree, use the -r
option. The -v
option prints lines that DON'T match the pattern.
Example: grep Apple *.txt
will print all lines containing the word 'Apple' in files that end with '.txt' in the current working directory.
<command> | less
<command> | grep <pattern>
join commands with a |
in order to "pipe" the output from the first command into the second, e.g., into less
to paginate it, or into grep
to search it.
Example: history | grep mkdir
would search the history output for each time the mkdir
command was executed, thus determining all the directories you had created.
<command> > <file>
redirect output to a file. Use >>
to append output to a file, and 2>
to redirect error messages.
export VAR=value
set an environment variable (VAR in this example) to have a certain value
ssh
Secure Shell (ssh) is great for getting a quick command-line interface where you can enter bash shell commands. It also allows you to do X11 forwarding, which enables you to interact graphically with your instance using
X Windows. If you have not already, it would also be good to familiarize yourself with how to
connect to Linux machines remotely.
Text Editors
Since the default interaction with a Linux Instance is through a terminal, it may be useful to familiarize yourself with at least one text editor that can be used in the terminal. Here are a few, with links to get more information about them, but there are more.
vim
Vim is often already installed with many Linux distros, and is therefore useful to learn. There are many online tutorials, but you can also simply type vimtutor
in the terminal to learn how to use vim.
emacs
Emacs is a family of text editors including the very popular
GNU Emacs. If you want to use it, it may be helpful to take a
guided tour or to consult the
manual.
nano
GNU nano is a simpler text editor than something like vim because it doesn't have modes, you simply type when it opens. If you'd like more information, consult the
documentation.
Ubuntu
This section has specific instructions for Ubuntu images on how to create your first user with sudo privileges, create additional users, and install software. If you are the sole user of your instance, you only need to follow the Initial User Setup steps. If you do want to create Additional Users, be sure to consider what privilege level you would prefer your users to have, and whether you wish to require a key pair for authentication (should be unique per user). If you have not used Ubuntu before, please read this whole section.
The "ubuntu" User
Since the Ubuntu distribution of Linux locks the root account by default, you cannot use that account to ssh when you first setup a new image. Instead, there is a default account with the username ubuntu
, with a blank password, that has sudo privileges. Unless you are the sole user of your machine, it is still recommended that you create a new user account, for which the steps are detailed below.
Initial User Setup (Ubuntu)
These steps create a new sudo user, and must all be completed in order:
ssh -i <key> ubuntu@<ip of instance>
- Connects to the instance via ssh as the ubuntu account.
sudo adduser <username>
- You will be prompted to enter & verify a password for the user. You should review the Rules for Creating Passwords before setting one. You will also be prompted for some information (i.e. name, phone number, etc.) which is optional. If you do not wish to add this information, simply hit "enter".
- Note that <username> could be e.g. ‘bob’, it doesn’t need to be (and really should not be) a Cornell netid, since you can optionally configure your instances to allow use of netid and netid passwords for project members.
- This adds a new user with the name <username>.
sudo adduser <username> sudo
- This will add <username> to the sudo group, which will enable <username> to easily install software and perform other administrative tasks without needing a root (or the ubuntu) login. This has the advantage of making it more difficult to accidentally do something unfortunate to the system.
sudo mkdir ~<username>/.ssh
- Creates a directory for the user to hold the public encryption key used in ssh.
- Note: The
.ssh
folder is hidden to thels
command by default because of the "." at the beginning. You can see all folders by sending thels -a
command.
sudo cp ~/.ssh/authorized_keys ~<username>/.ssh
- This copies the public key to the correct place for the user to be able to ssh.
- Only do this if you intend to ssh from the same computer with the private key every time you access the instance. This is recommended, since it is more secure.
sudo chown -hR <username>:<username> /home/<username>
- Changes the ownership of the user's home directory and subdirectories (including .ssh) to the user.
sudo chmod 700 -R ~<username>/.ssh/
- Changes the access permissions on the folder and all files contained within.
vim /etc/ssh/sshd_config
- Verify the line that says
PasswordAuthentication
has ano
next to it (this should be the default). - Change this to
yes
only if you intend to have multiple users and wish to allow them to connect via ssh with a password, without requiring a key pair. You may need to includesudo
in front of the command. - You could also use your preferred text editor.
- Verify the line that says
sudo systemctl restart sshd
exit
ssh -i <key> <username>@<ip>
- At this point your user should be set up to connect via ssh.
sudo apt update
andsudo apt upgrade
- The first
sudo apt update
command is what updates the package manager's list of available packages, upgrades, etc. - The second
sudo apt upgrade
command is what actually performs the upgrades to packages that have updates. - You may be asked to reboot, which can be done with the
sudo reboot
command. - You can now begin Installing Software.
- The first
Additional Users (Ubuntu)
A normal user account on a Ubuntu system does not have sudo privileges, so they cannot install software or perform administrative tasks. These steps create a new user without sudo privileges:
sudo adduser <username>
Note: you will be prompted to create a password. See the Passwords section for recommendations.sudo chown -hR <username> /home/<username>
It is also possible to create new user accounts with sudo privileges, which enables them to easily install software and perform other administrative tasks without needing a root (or the ubuntu) login. These steps create a new user with sudo privileges:
sudo adduser <username>
Note: you will be prompted to create a password. See the Passwords section for recommendations.sudo adduser <username> sudo
sudo chown -hR <username> /home/<username>
It is recommended, for security purposes, to require all users to authenticate with a unique SSH key pair when connecting to Red Cloud instances. However, it can be simpler to allow users to authenticate with a password, particularly for users who are inexperienced with SSH. Below we describe how to set up both types of authentication. Choose what's right for you and your users.
Additionally, it is recommended to securely share secrets like private keys using LastPass. For more information, go to this page: LastPass.
Passwords (Ubuntu)
It's best to assign a different temporary password to each user. When notifying users of their new passwords, remember to ask them to log in and change their passwords right away with passwd
(just the plain command, with no arguments).
sudo passwd <username>
Or you will be prompted for a password when you initially create the user with
sudo adduser <username>
- Assign a temporary password like ch@ngeM3!
- Retype the temporary password when prompted
Be sure to notify your users of the Rules for Creating Passwords before they set one.
SSH Key Pairs (Ubuntu)
Do the following steps to create an SSH key pair for each user. If you have set up passwords and logins with passwords are enabled, then users can also perform these steps themselves.
sudo su <username>
Omit this step if you are already logged in as the user
mkdir ~/.ssh
ssh-keygen -t rsa
Respond to all prompts by hitting enter
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
chmod 700 -R ~/.ssh
exit
Omit this step if you are already logged in as the user
The resulting keys created can be used to login to the instance without a password. This private key should be stored where it can be found by the user's local SSH client. If logins with passwords are enabled, each user can retrieve the file ~/.ssh/id_rsa
using scp
or sftp
. Otherwise, the trick will be to distribute the private keys to each user in some other secure manner. They should not just be attached to emails!
Enabling SSH Logins With Passwords (Ubuntu)
If you are intending to allow users to connect to the instance with only a password, then you will have to edit the /etc/ssh/sshd_config
file with sudo
and your preferred text editor, and change the line that says PasswordAuthentication no
to yes
. You may need to restart sshd service with sudo systemctl restart sshd.service
to see the change take effect. If this is set to no
, attempting to access the instance without a private key will show Permission denied (publickey)
.
Note: It is a good idea to check that you can connect to the new user's account via ssh, even if the account is not for you, to ensure it was set up correctly.
Installing Software (Ubuntu)
The package manager for Ubuntu is called
apt (also see the Ubuntu docs on
apt and
aptitude). Here are some basic commands worth making sure you understand (again, man apt
will help here):
sudo apt update
sudo apt upgrade
apt search <package>
sudo apt install <package>
It is recommended that you:
- Ensure your system is up-to-date after beginning an instance.
- Check for and install updates monthly.
- Install a screen-saving program like tmux or screen (comparison), which is often useful in case your connection is dropped (either intentionally or unintentionally) or if you want to have multiple terminals available without needing to login each time. Either one has advantages over trying to manipulate processes that are running in the background - though this too is good to understand and know how to do!
To find available packages (from currently installed repositories), the following command may be used: apt search <package>
. For instance, here are the first 6 results for apt search python
(as of May 2024):
2to3/jammy-updates,jammy-security 3.10.6-1~22.04 all
2to3 binary using python3
accerciser/jammy 3.38.0-1 all
interactive Python accessibility explorer for the GNOME desktop
acme-tiny/jammy 1:5.0.1-1 all
letsencrypt tiny Python client
acr/jammy 1.9.4-1 all
autoconf like tool
adequate/jammy 0.15.6 all
Debian package quality testing tool
aiohttp-wsgi-serve/jammy 0.8.2-3 all
run a WSGI application
Rocky/CentOS
This section has specific instructions for Rocky or CentOS images on how to create your first user with sudo privileges, create additional users, and install software. If you are the sole user of your instance, you only need to follow the Initial User Setup steps. If you do want to create Additional Users, be sure to consider what privilege level you would prefer your users to have, and whether you wish to require a key pair for authentication (should be unique per user). If you have not used Rocky or CentOS before, please read this whole section.
Initial User Setup (Rocky/CentOS)
Once you have started a Linux Instance, you will want to connect as the root user and set up a new user account that you can use for your day-to-day work. The way to do this depends on the Rocky or CentOS base image: on some you can log in directly as ‘root’, but on others you first have to log in as user 'rocky' (Rocky), ‘centos’ (CentOS 7), or 'cloud-user' (CentOS 8), then switch to ‘root’ as shown below. In the latter case you could choose to make 'rocky'/‘centos'/'cloud-user' the account you use each time you want to connect, but it is recommended that you follow the steps below so you can pick a separate username of your own choosing.
ssh -i <key> rocky@<ip of instance>
,ssh -i <key> centos@<ip of instance>
, orssh -i <key> cloud-user@<ip of instance>
- Connects to the instance via ssh as the 'rocky', ‘centos’, or 'cloud-user' account (note, by default in Red Cloud, direct login by root is disabled).
sudo su -
- Subsequent steps are easier if you become root, so you don't have to type
sudo
ahead of each command.
- Subsequent steps are easier if you become root, so you don't have to type
adduser <username>
- Adds a new user with the name <username>.
- Note that <username> could be e.g. ‘bob’, it doesn’t need to be (and really should not be) a Cornell netid, since you can optionally configure your instances to allow use of netid and netid passwords for project members.
- Multiple users may be added at the instance owner’s discretion (see below).
passwd <username>
- This will prompt you to set and verify a password for the user. You should review the Rules for Creating Passwords before setting one.
- Note: if you do not run this command, a password will not be set for the user!
usermod -aG wheel <username>
- This will add <username> to the sudo group, which will enable <username> to easily install software and perform other administrative tasks. This has the advantage of making it more difficult to accidentally do something unfortunate to the system.
mkdir ~<username>/.ssh
- Creates a directory for the user to hold the public encryption key used in ssh.
- Note: The
.ssh
folder is hidden to thels
command by default because of the "." at the beginning. You can see all folders by sending thels -a
command.
cp ~rocky/.ssh/authorized_keys ~<username>/.ssh
,cp ~centos/.ssh/authorized_keys ~<username>/.ssh
, orcp ~cloud-user/.ssh/authorized_keys ~<username>/.ssh
- This copies the public key to the correct place for the user to be able to ssh.
- Only do this if you intend to ssh from the same computer with the private key every time you access the instance. This is recommended, since it is more secure.
chown -hR <username>:<username> /home/<username>/.ssh
- Changes the ownership of the user's .ssh directory and all the files and subdirectories in it to the user.
chmod 700 ~<username>/.ssh/
- Changes the access permissions on the .ssh folder to the recommended level.
vim /etc/ssh/sshd_config
- Skip this step if you never intend for users to connect via ssh with a password and instead want them to use a key pair.
- Uncomment the line that says
PasswordAuthentication yes
. - Comment out the line that says
PasswordAuthentication no
. - If there are no comments like described above, change the 'yes' to 'no' or vice versa.
- Note: you may need to install vim first by running
yum install vim
. See Installing Software for more information. - You could also use your preferred text editor.
systemctl restart sshd
exit
- This step exits out of root.
exit
- This step disconnects from the instance.
ssh -i <key> <username>@<ip>
- At this point, your user should be set up to ssh.
sudo yum update
- This makes sure the system is up-to-date.
- You may notice that certain packages do not get updated; don't be alarmed, as this is expected.
- It's a good idea to restart the instance after the update completes with
sudo reboot
. - You can now begin Installing Software.
Additional Users (Rocky/CentOS)
A normal user account on a Rocky or CentOS system does not have sudo privileges, so they cannot install software or perform administrative tasks. These steps create a new user without sudo privileges:
1. sudo adduser <username>
1. sudo passwd <username>
* This is optional - See the Passwords section below for more information.
It is also possible to create new user accounts with sudo privileges, which enables them to easily install software and perform other administrative tasks without needing a root (or the rocky/centos/cloud-user) login. These steps create a new user with sudo privileges:
1. sudo adduser <username>
1. sudo passwd <username>
* This is optional - See the Passwords section below for more information.
1. sudo usermod -aG wheel <username>
It is recommended, for security purposes, to require all users to authenticate with a unique SSH key pair when connecting to Red Cloud instances. However, it can be simpler to allow users to authenticate with a password, particularly for users who are inexperienced with SSH. Below we describe how to set up both types of authentication. Choose what's right for you and your users.
Additionally, it is recommended to securely share secrets like private keys using LastPass. For more information, go to LastPass.
Passwords (Rocky/CentOS)
It's best to assign a different temporary password to each user. When notifying users of their new passwords, remember to ask them to log in and change their passwords right away with passwd
(just the plain command, with no arguments).
sudo passwd <username>
- Assign a temporary password like ch@ngeM3!
- Retype the temporary password when prompted
Be sure to notify your users of the Rules for Creating Passwords before they set one.
SSH Key Pairs (Rocky/CentOS)
Do the following steps to create an SSH key pair for each user. If you have set up passwords and logins with passwords are enabled, then users can also perform these steps themselves.
sudo su <username>
Omit this step if you are already logged in as the user
mkdir ~/.ssh
ssh-keygen -t rsa
Respond to all prompts by hitting enter
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
chmod 700 -R ~/.ssh
exit
Omit this step if you are already logged in as the user
The resulting keys created can be used to login to the instance without a password. This private key should be stored where it can be found by the user's local SSH client. If logins with passwords are enabled, each user can retrieve the file ~/.ssh/id_rsa
using scp
or sftp
. Otherwise, the trick will be to distribute the private keys to each user in some other secure manner. They should not just be attached to emails!
Enabling SSH Logins With Passwords (Rocky/CentOS)
If you are intending to allow users to connect to the instance with only a password, then you will have to check the /etc/ssh/sshd_config
file with sudo
and your preferred text editor, and ensure the line that says PasswordAuthentication
says yes
. If changed, you may need to restart sshd service with sudo systemctl restart sshd.service
to see the change take effect. If this is set to no
, attempting to access the instance without a private key will show Permission denied (publickey, ...)
.
Note: It is a good idea to check that you can connect to the new user's account via ssh, even if the account is not for you, to ensure it was set up correctly.
Installing Software (Rocky/CentOS)
The package manager for Rocky or CentOS is called yum. Here are some basic commands worth making sure you understand (again, man yum
will help here):
yum check-update
sudo yum update
yum search <package>
sudo yum install <package>
You may notice that certain packages do not get updated with sudo yum update
; don't be alarmed, as this is expected. It's a good idea to restart the instance after the update completes with sudo reboot
.
It is recommended that you:
- Ensure your system is up-to-date after beginning an instance.
- Check for and install updates monthly.
- Install a screen-saving program like tmux or screen (comparison), which is often useful in case your connection is dropped (either intentionally or unintentionally) or if you want to have multiple terminals available without needing to login each time. Either one has advantages over trying to manipulate processes that are running in the background - though this too is good to understand and know how to do!
SSH Security
Once you have set up a user with sudo privileges and ensured that you can indeed login and perform sudo commands successfully (it would be good to test this to be sure), you may want to secure the root login by disabling it.
Disable root login: This must be done while logged in either as root or your user with sudo privileges.
vim /etc/ssh/sshd_config
- Change the the line
PermitRootLogin yes
toPermitRootLogin no
- Note: if this line is commented out (with a
#
character in the front), you will need to uncomment it. systemctl restart sshd
When you exit, you should verify that you cannot login as root, but that you can still login as your user.
For more information on SSH Security, see the CentOS guide on Securing OpenSSH.