Stuck on SSH public key authentication for www-data
I have a web server and a desktop. I would like to be able to mount /var/www/html/ from the webserver to a directory on my desktop using sshfs.
I have a user 'anthony' on both the server and the desktop. I can SSH between the desktop and server with public key authentication (password login is disabled). From there, I can 'su' to www-data (I have set a password for the www-data user). Code:
anthony@maples-desktop:~$ ssh 192.168.0.100 I thought that I could just copy my id_rsa.pub from my desktop into /var/www/.ssh/authorized_keys on the server. But it's not working like I thought it would: Code:
ssh www-data@192.168.0.100 Code:
$ ssh www-data@192.168.0.100 -v I've checked, and I'm using the correct home directory for www-data: Code:
www-data@poweredge1950:/home/anthony$ cd I didn't know if I needed a keypair for www-data, so I generated that, and that didn't fix it either. I checked that the permissions for authorized_keys is the same as the user 'anthony': Code:
www-data@poweredge1950:~$ cd .ssh/ |
/var/www/.ssh/authorized_keys permissions should be set to owner rw (chmod 600 /var/www/.ssh/authorized_keys)
|
Quote:
|
authorized_keys file contains anthony@maples-desktop's id_rsa.pub content?
|
Quote:
Code:
www-data@poweredge1950:~$ md5sum .ssh/authorized_keys |
Quote:
At this point, you don't see differences comparing ~/.ssh directories for both www-data and anthony users ? Not using authorized_keys2 in anthony's .ssh for example? |
Nope, nothing like that:
Code:
www-data@poweredge1950:~$ ls .ssh/ Code:
anthony@maples-desktop:~$ ls .ssh/ |
Nothing in logs (as root) tail /var/log/messages
Or grep ssh /var/log/* |
What are the permissions of /var/www ?
|
Code:
www-data@poweredge1950:~$ ls -la /var/www/ Code:
root@poweredge1950:~# tail /var/log/messages However, I checked the end of auth.log, which contained something worth mentioning (immediately after I tried SSHing to www-data@192.168.0.100): Code:
root@poweredge1950:~# tail /var/log/auth.log |
Quote:
Try chmod 755 /var/www |
www-data has a nologin shell, I'll bet is jamming you up.
Code:
grep www-data /etc/passwd |
Quote:
I wonder why it refuses to let you login when group has write permission? Thanks for all the help! :D |
Quote:
Code:
root@poweredge1950:~# grep www-data /etc/passwd |
Quote:
Also, the user and group www-data are for privilege separation and should not have write access to anything in the web server's document root, except for special exceptions regarding individual files in certain CMSs. Adding write permission for www-data, as shown in #10 above, breaks the security model and is likely end up costing you in the medium to long term. What problem were you trying to solve? If it was shared access to the web server's document root or other files, then a special group should be made for that and write access given to that new group instead of www-data. |
Quote:
Code:
sudo pacman -S base-devel abs Code:
./openssh-7.2p2/regress/check-perm.c: "bad ownership or modes for directory %s", buf); Code:
f (stat(buf, &st) < 0 || |
Quote:
Quote:
So if www-data shouldn't have write access, then who should? I don't want to give it to just root, for several reasons. (The biggest one being that I don't think I should have to log in as root just to edit HTML.) Should I give it to my user, or should I create a separate user just for that purpose? |
Quote:
If you are the only user and only ever going to be the only user then it is enough to just chown it to your account and group. Then you can make as many changes as you want and www-data cannot write. Just make sure that the directories have o=rx and that files have o=r so that the web server can still read them. If you would be moving to a simple multi-user environment, where more than one account would need to edit the web files, then you would just make a new group and apply that, along with the SetGID bit to the directories. |
Quote:
I think you're saying that it should be a new group, not the www-data group. I've heard very little about setuid, and never heard of setgid, so I'm going to head over to Google. But what would I need to do to implement what you suggested above? |
Quote:
Code:
groupadd webmeisters The two 'find' instance show the difference settings for files and directories. (Numerically that would be 2775 in octal instead of u=rwx,g=rwxs,o=rx in symbolic mode. The symbolic mode works to unset the setgid bit also but the octal mode does not.) The owner of the directories and files is not important as long as it is not www-data. You could leave that as maples, as long as the group is set to the shared group. Then add users to the shared group. Code:
gpasswd -a maples webmeisters |
mod_userdir could be simpler to use in an home config (and will not be affected by system upgrade, in case upgrade replaces all the /var/www config)
Server dir would be in anthony@poweredge1950:public_html, url would be http://poweredge1950/~anthony |
Quote:
Quote:
Code:
anthony@poweredge1950:~$ umask EDIT: Google informs me that you can't do that. So since I have a group for my user and all files I create in my home directory are anthony:anthony, is it any security risk to set umask to 0002? |
ACLs
Quote:
Quote:
Code:
setfacl -b -m group:webmeisters:rwx,d:group:webmeisters:rw- /var/www/html/ You can see what you have set with 'getfacl' Code:
getfacl /var/www/html/ |
I think I'm going to stick with umasks for now, though ACLs look like something I should look into some day.
Theoretically, if this was a multi-user environment, would /etc/profile be an appropriate place to put the umask? |
Quote:
|
Awesome. I just made /etc/profile.d/my_umask.sh with "umask 0002" and that seemed to take care of it.
And the sshfs still works like I originally intended :D Thank you! |
Quote:
I look for it a lot. |
Quote:
|
Quote:
|
Quote:
Let me know if there are any phrases or terms that you normally use when searching for it and I can add them. |
All times are GMT -5. The time now is 02:03 AM. |