Proper SSH keys location for a system user?
I have a system account with which I run a database (namely mongodb). By default it has no home. Now I'd like to trigger scp commands from that account, with ssh keys authentication to a remote server, to export backups.
Should I just create a /home/mongodb and /home/mongodb/.ssh folders manually to store the SSH keys, like the default for regular users ? Is it still considered a system account after that ?
Thanks!
Using the -i
option to SCP you can specify any SSH private key (that the user can read) as the "Identity File" -- this may obviate your question (you can put the key wherever you want, as long as it's readable by the MongoDB user and you specify it with -i
:-)
Diving into the question you asked though, the generic unix answer to your question is to put them in the .ssh directory under the user's home directory. To locate that home directory look in /etc/passwd (see the manpage for that file if you're unfamiliar with its format).
If as you noted the user has no home directory (it's set to something invalid, or /
) you can create that user a home directory and update their account to point to the correct home directory (the tools to do this vary from system to system, however vipw
is usually a good place to start). This reduces it to the problem above.
As for what constitutes a "system account", this is a religious question. In my environments "system accounts" have numeric UIDs lower than 1000 and their password locked out (encrypted password set to "*").
Other people will tell you that for it to be a "system account" it should have nologin
as its shell, or that the home directory should be in a particular place (or nonexistent), or that all of these criteria must be met :-)
If you are running Debian distribution, than every user that has no home in /home/user has it's home in /var/lib/user. There you can find, or create (if it doesn't exists already) directory .ssh/. I am not sure if that path is the same also for other distribution (centos,...).