I know how to get a user to ssh into another box with a key:
ssh -l targetuser -i path/to/key targethost
But what about non-account users like apache
? As this user doesn't have a home directory to which it can write a .ssh
directory, the whole thing keeps failing with:
$ sudo -u apache ssh -o StrictHostKeyChecking=no -l targetuser -i path/to/key targethost
Could not create directory '/var/www/.ssh'.
Warning: Permanently added '<hostname>' (RSA) to the list of known hosts.
Permission denied (publickey).
I've tried variations using -o UserKnownHostsFile=/dev/null
and setting $HOME
to /dev/null
and none of these have done the trick. I understand that sudo
could probably fix this for me, but I'm trying to avoid having to require a manual server config since this code will be deployed on a number of different environments.
Any ideas?
Here's a few examples of what I've tried that don't work:
$ sudo -u apache export HOME=path/to/apache/writable/dir/ ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=path/to/apache/writable/dir/.ssh/known_hosts -l deploy -i path/to/key targethost
$ sudo -u apache ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=path/to/apache/writable/dir/.ssh/known_hosts -l deploy -i path/to/key targethost
$ sudo -u apache ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -l deploy -i path/to/key targethost
Eventually, I'll be using this solution to run rsync as the apache
user.
Just create /var/www/.ssh/ and give apache write permission for it or change apache's $HOME to a directory where he can write.
Zoredache had it. Not a single option I passed on the command line could save me as the private key file was set to
600
permissions and owned by my own user. My bad. Apologies to everyone :-(how about adding the following to
/etc/sudoers
that will allow someuser to run
sudo -u apache /usr/bin/rsync [options]
without a password (convenient for scripting... just explicitly insert the rsync options, so they can't do anything /but/ that.)