We are using Capistrano in some systems as a deploy system. The new sysadmin we have says that our setup is really dangerous and I would like to know how to fix it.
We have a deploy user called "foo" which we use to do the deployment":
cap deploy
This foo user is able to restart apache, clean tmp files and so on.
The problem is that if someone steals our private ssh key and acces to our machines as the foo user, is able to take down the website.
ssh foo@server <-- Able to shutdown apache!
How can we solve this security hole?
Are there other solutions to take in account?
One thing i 'll like to add is that it would be better to exclude foo guy from being able to login from ssh What i mean is to connect to the server as user "superman" and afterwards using
su foo
to become foo user and execute any command you wantUsing this way, the attacker needs both password / private key in order to be able to use capistrano. If he was the private key, he can connect to the server but cannot execute capistrano. if he has the password, he can't even connect to the server because user foo is not allowed to login.
Encrypt your SSH private keys with a secure passphrase and do not copy them to remote servers.
If someone gets hold of your private key it will be no use to them without the passphrase.
it's not really a capistrano issue, more a ssh one. If you are allowed to log on a machine via ssh (with key or password) if an attacker find those credentials he can also do what you're allowed to do on those machine. your sysadmin have to set boundaries to what your deploy account can do (file permission, command permissions...). There's a nice walktrough of how to secure ssh for those task here http://www.linuxjournal.com/article/8257
If you're using SSH keys for authentication and someone steals them, it's the very same situation as if someone stole that user account's password; in both cases, he'd gain the privileges associated with that account.
This is why SSH access to a public server should not be allowed from outside your company network: this way, even if someone knew the root password, he just couldn't use it to connect to your web server.
I hope you are protecting that server with a firewall, or, failing that, you are at least using the web server's built-in one (IPTABLES on Linux, I'd guess) to only allow HTTP/S traffic from the outside. If you aren't... well, do it. Now.
Are you sure this is a problem?
That would be private key, not public. Your administrative users are probably authenticated in the same way, and that's a reasonable setup.
You do need to protect those keys, equally. Have the management host with the private key well firewalled and tightly access-controlled.
There are some options for improvement:
You could go all the way with two-factor authentication, but this is useless without doing the same to your administrative access.
Another option would be to have capistrano use ssh-agent authentication.
If you're not using capistrano for anything but initial deployment you can have that user self-destruct, IE remove the pubkey from the .ssh directory.