Managing Linux users from the command line is one of those things you'll do constantly. Here's the full reference — creating users, setting passwords, managing groups, granting sudo, setting up SSH keys, and cleaning up when someone leaves.
adduser vs useradd
Two commands, different behaviour. adduser is the friendly interactive wrapper — it creates the home directory, copies skeleton files, prompts for a password, asks for the full name. useradd is the lower-level tool that does exactly what you tell it and nothing else.
For interactive use on Debian/Ubuntu: adduser. For scripts: useradd with explicit flags.
Create a user
# Interactive — prompts for password and details
adduser john
# Non-interactive (good for scripts)
useradd -m -s /bin/bash -c "John Doe" john
passwd johnThe -m flag creates the home directory. The -s sets the login shell. Without -m, the user exists but has no home directory — which breaks a lot of things.
Grant sudo access
usermod -aG sudo johnThe -a flag appends — without it, usermod -G replaces all group memberships. Forgetting -a is a classic way to accidentally remove someone from a group they needed.
Verify:
groups john
# john : john sudoTest it:
su - john
sudo whoami
# → rootSet up SSH key authentication for the user
mkdir -p /home/john/.ssh
chmod 700 /home/john/.ssh
nano /home/john/.ssh/authorized_keys
# paste the public key here
chmod 600 /home/john/.ssh/authorized_keys
chown -R john:john /home/john/.sshThe permissions matter. SSH will silently refuse to use keys if .ssh is 755 or authorized_keys is 644. If key auth isn't working, check permissions first.
Or copy a key from a machine that already has it:
ssh-copy-id john@server-ipManage groups
# Create a group
groupadd devops
# Add user to group
usermod -aG devops john
# Remove user from a specific group
gpasswd -d john devops
# List all groups a user belongs to
groups john
# List all members of a group
getent group sudoChange or reset a password
# Set password interactively
passwd john
# Force user to change password at next login
passwd -e john
# Lock an account (disables password auth, SSH keys still work)
passwd -l john
# Unlock
passwd -u johnUser info and last login
# Full account details
getent passwd john
# Last login time
lastlog -u john
# Recent login history
last john | head -10
# Who's logged in right now
who
wDisable a user without deleting them
# Lock the account
usermod -L john
# Also expire it so SSH key auth fails too
usermod -L -e 1 john
# Check status
passwd -S johnUse this when someone leaves and you need to act fast but want to keep the account for audit purposes.
Delete a user
# Delete user, keep home directory
userdel john
# Delete user AND home directory
userdel -r johnThink before using -r. If the user owned files outside their home directory — cron jobs, service files, log directories — those become orphaned with a numeric UID instead of a name. Check first:
find / -user john 2>/dev/nullService accounts (for applications)
# No home dir, no shell, no login — just an identity for a process
useradd -r -s /usr/sbin/nologin -c "App service account" appuserRunning applications as a dedicated non-login user limits the blast radius if something gets compromised. Same reason you don't run a game server as root.
Bulk operations with a script
#!/bin/bash
for USER in alice bob charlie; do
adduser --gecos "" --disabled-password $USER
usermod -aG sudo $USER
mkdir -p /home/$USER/.ssh
chmod 700 /home/$USER/.ssh
chown $USER:$USER /home/$USER/.ssh
echo "$USER created"
doneQuick reference
# List all local users
cut -d: -f1 /etc/passwd
# List users with login shells (real users, not service accounts)
grep -E '/bash$|/sh$|/zsh$' /etc/passwd | cut -d: -f1
# Who's in sudo group
getent group sudoRelated: Ubuntu Server Initial Setup Checklist — creating your first admin user is step 4.
