Configure users and groups

These examples will show how you can configure users and groups.

For a full list of keys, and more details of how to use this module, refer to the users and groups module schema.

Add default user

1#cloud-config
2users: [default]

Don’t create any default user

1#cloud-config
2users: []

Add groups to the system

The following example adds the 'admingroup' group, with members 'root' and 'sys', and the empty group cloud-users.

1#cloud-config
2groups:
3- admingroup: [root, sys]
4- cloud-users

Add users to the system

Users are added after groups. Note that most of these configuration options will not be honored if the user already exists. The following options are exceptions and can be applied to already-existing users:

  • plain_text_passwd

  • hashed_passwd

  • lock_passwd

  • sudo

  • ssh_authorized_keys

  • ssh_redirect_user

#cloud-config
users:
- default
- name: foobar
  gecos: Foo B. Bar
  primary_group: foobar
  groups: users
  selinux_user: staff_u
  expiredate: '2032-09-01'
  ssh_import_id:
    - lp:falcojr
    - gh:TheRealFalcon
  lock_passwd: false
  passwd: $6$j212wezy$7H/1LT4f9/N3wpgNunhsIqtMj62OKiS3nyNwuizouQc3u7MbYCarYeAHWYPYb2FT.lbioDm2RrkJPb9BZMN1O/
- name: barfoo
  gecos: Bar B. Foo
  sudo: ALL=(ALL) NOPASSWD:ALL
  groups: users, admin
  ssh_import_id:
    - lp:falcojr
    - gh:TheRealFalcon
  lock_passwd: true
  ssh_authorized_keys:
    - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSL7uWGj8cgWsp... csmith@fringe
- name: cloudy
  gecos: Magic Cloud App Daemon User
  inactive: '5'
  system: true
- name: fizzbuzz
  sudo: false
  shell: /bin/bash
  ssh_authorized_keys:
    - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSL7uWGj8cgWsp... csmith@fringe
- snapuser: [email protected]
- name: nosshlogins
  ssh_redirect_user: true

Set the default shell

The default shell for newsuper is bash instead of the system default.

1#cloud-config
2users:
3- name: newsuper
4  shell: /bin/bash

Configure doas/opendoas

Here we configure doas/opendoas to permit this user to run commands as other users without being prompted for a password (except not as root).

1#cloud-config
2users:
3- doas: [permit nopass newsuper, deny newsuper as root]
4  name: newsuper

On SELinux

On a system with SELinux enabled, this example will add youruser and set the SELinux user to staff_u. When omitted on SELinux, the system will select the configured default SELinux user.

1#cloud-config
2users:
3- default
4- {name: youruser, selinux_user: staff_u}

Redirect legacy username

To redirect a legacy username to the default user for a distribution, ssh_redirect_user will accept an SSH connection and show a message telling the client to SSH as the default user. SSH clients will get the message:

1#cloud-config
2users:
3- default
4- {name: nosshlogins, ssh_redirect_user: true}

Override default user config

Override any default_user config in /etc/cloud/cloud.cfg with supplemental config options. This config will make the default user mynewdefault and change the user to not have sudo rights.

1#cloud-config
2ssh_import_id: [chad.smith]
3user: {name: mynewdefault, sudo: null}