How to Grant Lab GPU SSH Access to a New Project Student on a Linux System

This guide describes how a PhD student who manages a lab GPU machine (chaton, panther, maomi, neko, simba) can grant SSH access to a new project student by creating a user account and configuring SSH groups.

1. Create a New User Account

First, the PhD student who manages the machine should create a new user account for the new project student. The easiest way is to add it with the Settings app on Ubuntu machine after logging in as the PhD student, but you can also do it via command line as follows, replacing [NEW_USER_ID] with the desired username for the new project student.

Switch to superuser at root level:

sudo su

Create the new user account:

adduser [NEW_USER_ID]

OR

useradd -m [NEW_USER_ID]
passwd [NEW_USER_ID]
Tip: For group projects, you can create a shared account (e.g., nsf_project) so all authorized students access the same workspace. Make sure permissions are set correctly and continue to manage access through the sshusers group only.

2. Check SSH Configuration for Allowed Groups

Edit the SSH configuration file:

vim /etc/ssh/ssh_config

You should be able to see the following line (or something similar) in the file: 

AllowGroups synologyusers sshusers

This line indicates that SSH logins are allowed only for users in the synologyusers and sshusers groups.

3. Create the sshusers Group (If Needed)

If you don’t see the sshusers group referenced or it does not yet exist, create it with: 

groupadd sshusers

After creating the group, make sure the SSH configuration file has been updated correctly to include it in the allowed groups line. 

AllowGroups synologyusers sshusers

4. Add New User to sshusers Group

🚫 Do Not Modify synologyusers
This group is reserved for PhD students. Any changes could lock out lab admins. To manage SSH access for project students, use the sshusers group only.

Add new project student to sshusers group

usermod -aG sshusers [NEW_USER_ID]
getent group sshusers

The second command lists the members of the sshusers group to confirm that the new user has been added.

Verify the new student’s group membership: 

id [NEW_USER_ID]

It should print something like the following: 

uid=1002([NEW_USER_ID]) gid=1003(sshusers)

If you ever need to remove a user from the sshusers group, use: 

gpasswd -d [NEW_USER_ID] sshusers

Verify it worked 

id [NEW_USER_ID]

5. Restart the SSH Server

Restart the SSH service so changes take effect:

systemctl restart ssh
systemctl restart sshd

6. Verify SSH Access

Finally, verify that the new project student can access the machine via SSH. From another machine, run the following command, replacing [NEW_USER_ID] and [MACHINE_IP] accordingly: 

ssh [NEW_USER_ID]@[MACHINE_IP].cs.columbia.edu

You should be prompted to enter the password for the new project student. After entering the correct password, you should be logged into the machine as the new project student.