Have an unprivileged non-account user ssh into another box?

Posted by Daniel Quinn on Server Fault See other posts from Server Fault or by Daniel Quinn
Published on 2010-05-14T22:02:51Z Indexed on 2010/05/14 22:14 UTC
Read the original article Hit count: 338

Filed under:
|
|

I know how to get a user to ssh into another box with a key:

ssh -l targetuser -i path/to/key targethost

But what about non-account users like apache? As this user doesn't have a home directory to which it can write a .ssh directory, the whole thing keeps failing with:

$ sudo -u apache ssh -o StrictHostKeyChecking=no -l targetuser -i path/to/key targethost
Could not create directory '/var/www/.ssh'.
Warning: Permanently added '<hostname>' (RSA) to the list of known hosts.
Permission denied (publickey).

I've tried variations using -o UserKnownHostsFile=/dev/null and setting $HOME to /dev/null and none of these have done the trick. I understand that sudo could probably fix this for me, but I'm trying to avoid having to require a manual server config since this code will be deployed on a number of different environments.

Any ideas?

Here's a few examples of what I've tried that don't work:

$ sudo -u apache export HOME=path/to/apache/writable/dir/ ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=path/to/apache/writable/dir/.ssh/known_hosts -l deploy -i path/to/key targethost
$ sudo -u apache ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=path/to/apache/writable/dir/.ssh/known_hosts -l deploy -i path/to/key targethost
$ sudo -u apache ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -l deploy -i path/to/key targethost

Eventually, I'll be using this solution to run rsync as the apache user.

© Server Fault or respective owner

Have an unprivileged non-account user ssh into another box?

Posted by Daniel Quinn on Stack Overflow See other posts from Stack Overflow or by Daniel Quinn
Published on 2010-05-14T21:48:21Z Indexed on 2010/05/14 21:54 UTC
Read the original article Hit count: 338

Filed under:
|

I know how to get a user to ssh into another box with a key:

ssh -l targetuser -i path/to/key targethost

But what about non-account users like apache? As this user doesn't have a home directory to which it can write a .ssh directory, the whole thing keeps failing with:

$ sudo -u apache ssh -o StrictHostKeyChecking=no -l targetuser -i path/to/key targethost
Could not create directory '/var/www/.ssh'.
Warning: Permanently added '<hostname>' (RSA) to the list of known hosts.
Permission denied (publickey).

I've tried variations using -o UserKnownHostsFile=/dev/null and setting $HOME to /dev/null and none of these have done the trick. I understand that sudo could probably fix this for me, but I'm trying to avoid having to require a manual server config since this code will be deployed on a number of different environments.

Any ideas?

Here's a few examples of what I've tried that don't work:

$ sudo -u apache export HOME=path/to/apache/writable/dir/ ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=path/to/apache/writable/dir/.ssh/known_hosts -l deploy -i path/to/key targethost
$ sudo -u apache ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=path/to/apache/writable/dir/.ssh/known_hosts -l deploy -i path/to/key targethost
$ sudo -u apache ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -l deploy -i path/to/key targethost

Eventually, I'll be using this solution to run rsync as the apache user.

© Stack Overflow or respective owner

Related posts about ssh

Related posts about linux