Generating SSH keys for 'apache' user

How do I add SSH keys for 'apache' user in Linux?

BACKGROUND

I am trying to add a service hook to github to notify a URL once I push to my repo. I have the following php page set up:

<?php `git pull origin master`;  

However I get the following output:

sh: git: Permission denied

This is because the keys I generated for github access were generated by my 'root' user. However when I exectue a command from php it is the 'apache' user that runs it.

The keys therefore do not correspond and permission is denied to pull.

As I cannot switch user from the terminal to generate keys as 'apache', I am not too sure what to do. Can anyone suggest a solution?


You may have to copy the root generated keys in the .ssh directory of your apache user.

Assuming the homedir of apache is /var/www (check /etc/passwd) and the named key is id_rsa-git :

mkdir -p /var/www/.ssh/
cp /root/.ssh/id_rsa-git /var/www/.ssh/id_rsa

No need to copy the public key.

Note : by default the key used are id_rsa or id_dsa. You may change the name of the copied key to match this.

You may also change ownership of the id_rsa key and .ssh directory:

chown -R apache:apache /var/www/.ssh
chmod 0700 /var/www/.ssh
chmod 0600 /var/www/.ssh/id_rsa

As you are root, you can try it sudo -u apache ssh-keygen -t rsa


Just posting the comment of @KitCarrau, under yvan's answer, that worked for me

sudo -u apache ssh-keygen -t rsa

for debian

sudo -u www-data ssh-keygen -t rsa

after this click Enter twice, to skip passphrase

also, it suggests to create the public/private keys in /var/www/.ssh directory, even if I had my www direcotry in /home/my_user/www, that is fine.


The existing answers are either incomplete or insecure. If you put your .ssh directory into the home directory of the apache user (/var/www) then this will also most likely serve the contents of that directory and thus expose your ssh private key to the public web. To prevent this you'd have to configure apache not to serve the .ssh directory but none of the existing answers explains how to do this.

I'd also argue that it is still dangerous to have your .ssh directory be a subdirectory of your publicly served www-root because even if you add a rule to your apache config, upgrading the server or doing unrelated other configurations might override this rule without you noticing.

So here is an answer that puts the key elsewhere, where it is not served by apache by default. There is not even the need to ever become the www-data user as others are struggling with.

First, find out the home directory of our apache user, for example by looking into /etc/passwd and looking for the www-data user or however the apache user of your distribution is called. The home directory is likely /var/www.

Then run (replacing /var/www with the home directory of the apache user on your setup):

$ mkdir "$HOME/www-data.ssh"
$ ssh-keygen -q -t rsa -f "$HOME/www-data.ssh/id_rsa" -N ""
$ chown -R www-data:www-data "$HOME/www-data.ssh"
$ mkdir /var/www/.ssh
$ cat << END > /var/www/.ssh/config
> Host *
>     IdentityFile $HOME/www-data.ssh/id_rsa
> END
$ chown -R www-data:www-data /var/www/.ssh

Now your www-data user will use the ssh key in $HOME/www-data.ssh/id_rsa for all its ssh connections and since your $HOME is probably different from /var/www, that directory will not be served. So even without adding any custom rules to apache, users will be able to see your .ssh/config but they will not be able to access the private key it points to. Nevertheless, your www-data user will know how to do it.


I ran into a similar issue and there is one extra snag. In order to ssh using the apache user you also need to edit the /etc/passwd file so that the directive for apache has a shell defined.

In my case I needed to change

apache:x:48:48:Apache:/var/www:/sbin/nologin

to

apache:x:48:48:Apache:/var/www:/bin/bash