[LRUG] Setting up SSH for multiple people to deploy an app

Richard Livsey richard at livsey.org
Thu Apr 18 04:03:44 PDT 2013 

Thanks everyone. Seems the consensus is that it's fine (better) to have one deploy user with everyone in its authorized_keys as opposed to a user per user. That's the way I've always done it in the past but I'd come across some stuff on the interwebs which advised otherwise [1]. 

Passenger automagically switches the user to 'nobody' so that should cover those concerns of the app running as www-data? Aside from that, the apps don't upload anything to the filesystem (any uploads go into the database or S3) but better to be safe. 

[1] - http://serverfault.com/questions/313465/is-a-central-location-for-authorized-keys-a-good-idea

Cheers.

-- 
Richard Livsey
Co-Founder, MinuteBase 
Meeting collaboration made easy
http://minutebase.com
+44 (0) 7841 260 797


On Wednesday, 17 April 2013 at 23:19, Gerhard Lazu wrote:

> 1. Never run apps under www-data, that is a system user reserved for web servers only. Giving www-data write privileges to any of your apps is a well known easter egg.
> 
> 2. Create a system user for each app, even if it's PHP or just a static site. Make that user part of the deploy group.
> 
> 3. Only allow deploy and admin groups to login via ssh. Root is not in these groups, neither is www-data. /bin/false or /bin/nologin are just comfort blankets, don't rely on them when securing sshd.
> 
> 4. When you want to allow someone to deploy an app, add their ssh key to that app's authorized_keys file. It's a lot easier
> managing access by adding/removing ssh keys vs system users.
> 
> 5. Most importantly, never pull code when deploying, always push. Never rely on any third party either, you not being able to
> deploy code because your repo host (github / bitbucket) or rubygems are down is insane.
> 
> I wish I had focused on these specifics in my March LRUG talk, would have made a lot more people efficient and happy. One of these days I will write a blog post on all the above, it's such a treat to have it all working consistently and predictably across apps and providers.
> 
> In my own infrastructure, I just create a new app config (regardless of the app type), the provisioner (chef) and CI (jenkins) take care of everything else.
> 
> Gerhard
> 
> Twitter (http://twitter.com/#!/gerhardlazu) Github (https://github.com/gerhard) Blog (http://gerhardlazu.com/) 
> 
> On Wed, Apr 17, 2013 at 6:02 PM, Richard Livsey <richard at livsey.org (mailto:richard at livsey.org)> wrote:
> > What's the best way of setting up a server for multiple people to deploy to these days?
> > 
> > /var/www/site is currently owned by www-data:www-data
> > 
> > I don't want www-data to be a full user who can SSH in, individual users should be able to SSH in as themselves.
> > 
> > I'm thinking of adding all users who can deploy to the 'www-data' group and then setting the /var/www/site as 2775 so that it's writable by anyone in that group.
> > 
> > That combined with agent forwarding should mean that github deploy keys should all work for the individual users too.
> > 
> > Does this make sense, or are there simpler/better ways?
> > 
> > Cheers.
> > _______________________________________________
> > Chat mailing list
> > Chat at lists.lrug.org (mailto:Chat at lists.lrug.org)
> > http://lists.lrug.org/listinfo.cgi/chat-lrug.org
>

More information about the Chat mailing list