What you will achieve
Create users, assign groups, and set password policies on Debian/Ubuntu and Fedora — foundation for multi-user servers and shared project dirs.
1) Add user
sudo adduser deploy
sudo usermod -aG sudo deploy # Debian/Ubuntu
sudo usermod -aG www-data deploy2) Groups
sudo groupadd developers
sudo usermod -aG developers deploy
id deploy3) Password and lock
sudo passwd deploy
sudo passwd -l deploy
sudo chage -l deploy4) Delete user (keep home optional)
sudo deluser --remove-home olduserVerify
getent passwd deploy
groups deploy
sudo -u deploy -l5) sudo group differences
Debian/Ubuntu: sudo group. Fedora/RHEL: wheel — uncomment in /etc/sudoers via visudo.
6) Shared project directory
sudo mkdir /srv/project
sudo chgrp developers /srv/project
sudo chmod 2775 /srv/projectSetgid bit keeps new files group-owned by developers.
7) LDAP/SSSD (enterprise)
getent passwd ldapuserLocal useradd still applies to standalone servers; central auth uses sssd-ad or sssd-ldap.
UID collisions after restore
Restoring /etc/passwd from backup on fresh install — ensure UIDs match file ownership on restored /home trees.
8) passwordless SSH only
Disable password auth after distributing keys to all admins — complements user management but is sshd config not passwd.
Prerequisites
root or sudo. Policy on UID ranges (system vs human users). Password complexity rules (pwquality on RHEL, pam on Debian). Home directory creation defaults understood.
/etc/login.defs
grep UID /etc/login.defsDefines UID_MIN for regular users — avoid manual useradd UIDs colliding with future system accounts.
chage password ageing
sudo chage -M 90 -W 14 deploy90-day max password age, warn 14 days before — compliance baseline for human accounts.
nologin for service accounts
sudo useradd -r -s /usr/sbin/nologin -d /nonexistent svcappService accounts should not SSH login — nologin shell prevents accidental interactive use while permitting file ownership.
SSSD cache flush
sudo sss_cache -EAfter LDAP group membership change user still denied until cache expires — flush on critical access changes.
wheel vs sudo Debian
Debian does not enable wheel group by default in sudoers — must add explicitly unlike Fedora. Document in onboarding wiki for admins from RHEL background.
lastlog audit
lastlog
last -a | headIdentify dormant accounts for deactivation — compliance asks who never logged in 90 days.
faillock for ssh not just sudo
pam_faillock on sshd prevents brute force before account lock — separate from password ageing chage settings.
usermod -aG not -G
-G replaces all groups — always -aG append or user loses sudo group membership in one typo.