I am in the arduous and painful process of setting up secure users on a new web LEMP server with Ubuntu 12.04. I was initially going to setup something like vsftpd or proftpd but many have suggested just to use SFTP directly so I will. Ultimately, I have one primary user (which I use simply to prevent root logins). I created this new user, generated a public-key pair, uploaded the public key to the users ~/.ssh
directory as authorized_key
, changed the SSH port number, removed root login and also set passwordauthentication
to NO so the user is forced to use his/her key to log in. Easy enough (though working on a PC seems to be much more of a headache for this than my OSX/NIX counterparts).
I am now trying to create new users (for my web developers) which will simply have SFTP access and limit their exposure simply to the web directory of their charge. Each directory has the following format:
/var/www/sitename.com/public/
My headache starts now. Create a new user? Easy. Add password? Don't really need to given I am requiring public/private keys (and they will never have sudo access) but ok. I am struggling however with the following:
- How do I actually store THIS new user's public key on the server? If I login as my root user and simply create the
authorized_keys
file within their home directory, it will have root owner and group permissions and they are unable to log in to the server. Similary, these new users cannot login and create it themselves, well, duh because they aren't permitted to login via password.
(note: I am also struggling with setting up the sftp and limiting them to their respective web directories but I think I can figure that out later on my own).
Any advice?
Edit
Currently the process is this:
- get public key from the individual
- go through the following commands:
#sudo mkdir -p /home/newuser/.ssh #sudo nano /home/newuser/.ssh/authorized_key #(copy key into single line and save) #chown -R newuser:newuser /home/newuser #chmod 700 /home/newuser/.ssh #chmod 600 /home/newuser/.ssh/authorized_key
I suppose this isn't absolutely horrible but if we have a large number of developers (plus the amount of time it is about to take me to set them up with the SFTP portion and limit to directories) it seems like a huge pain.
You need to change the ownership of the file and set permissions appropriately.
To make this process more simple, repeatable, and audit-able, use a configuration management system for user management. All widely-used config management systems (puppet, chef, ansible, etc.) ship with the ability to create users and deploy keys. A huge added benefit of using a config management system is that you can also keep your configuration in source control.
Create it for them using the public key they supply you when they request the account. Chown it appropriately. Chmod it appropriately. Done.
Watch out for that typo :)
it's `authorized_keys'. It frustrated me for at least half an hour.