Generating SSH keys for 'apache' user
How do I add SSH keys for 'apache' user in Linux?
BACKGROUND
I am trying to add a service hook to github to notify a URL once I push to my repo. I have the following php page set up:
<?php `git pull origin master`;
However I get the following output:
sh: git: Permission denied
This is because the keys I generated for github access were generated by my 'root' user. However when I exectue a command from php it is the 'apache' user that runs it.
The keys therefore do not correspond and permission is denied to pull.
As I cannot switch user from the terminal to generate keys as 'apache', I am not too sure what to do. Can anyone suggest a solution?
You may have to copy the root generated keys in the .ssh directory of your apache user.
Assuming the homedir of apache is /var/www (check /etc/passwd) and the named key is id_rsa-git :
mkdir -p /var/www/.ssh/
cp /root/.ssh/id_rsa-git /var/www/.ssh/id_rsa
No need to copy the public key.
Note : by default the key used are id_rsa or id_dsa. You may change the name of the copied key to match this.
You may also change ownership of the id_rsa key and .ssh directory:
chown -R apache:apache /var/www/.ssh
chmod 0700 /var/www/.ssh
chmod 0600 /var/www/.ssh/id_rsa
As you are root, you can try it sudo -u apache ssh-keygen -t rsa
Just posting the comment of @KitCarrau, under yvan's answer, that worked for me
sudo -u apache ssh-keygen -t rsa
for debian
sudo -u www-data ssh-keygen -t rsa
after this click Enter twice, to skip passphrase
also, it suggests to create the public/private keys in /var/www/.ssh
directory, even if I had my www direcotry in /home/my_user/www
, that is fine.
The existing answers are either incomplete or insecure. If you put your .ssh
directory into the home directory of the apache user (/var/www
) then this will also most likely serve the contents of that directory and thus expose your ssh private key to the public web. To prevent this you'd have to configure apache not to serve the .ssh
directory but none of the existing answers explains how to do this.
I'd also argue that it is still dangerous to have your .ssh
directory be a subdirectory of your publicly served www-root because even if you add a rule to your apache config, upgrading the server or doing unrelated other configurations might override this rule without you noticing.
So here is an answer that puts the key elsewhere, where it is not served by apache by default. There is not even the need to ever become the www-data
user as others are struggling with.
First, find out the home directory of our apache user, for example by looking into /etc/passwd
and looking for the www-data
user or however the apache user of your distribution is called. The home directory is likely /var/www
.
Then run (replacing /var/www
with the home directory of the apache user on your setup):
$ mkdir "$HOME/www-data.ssh"
$ ssh-keygen -q -t rsa -f "$HOME/www-data.ssh/id_rsa" -N ""
$ chown -R www-data:www-data "$HOME/www-data.ssh"
$ mkdir /var/www/.ssh
$ cat << END > /var/www/.ssh/config
> Host *
> IdentityFile $HOME/www-data.ssh/id_rsa
> END
$ chown -R www-data:www-data /var/www/.ssh
Now your www-data
user will use the ssh key in $HOME/www-data.ssh/id_rsa
for all its ssh connections and since your $HOME
is probably different from /var/www
, that directory will not be served. So even without adding any custom rules to apache, users will be able to see your .ssh/config
but they will not be able to access the private key it points to. Nevertheless, your www-data
user will know how to do it.
I ran into a similar issue and there is one extra snag. In order to ssh using the apache user you also need to edit the /etc/passwd
file so that the directive for apache has a shell defined.
In my case I needed to change
apache:x:48:48:Apache:/var/www:/sbin/nologin
to
apache:x:48:48:Apache:/var/www:/bin/bash