View All Products
Compute
Storage
Databases
Networking
Developer Tools
Delivery
Security
Services
Industries
Pricing
Community
Engage With Us
Community Questions locking down dev server - multiple ssh keys - /sub/ access
Log in to Ask a Question

locking down dev server - multiple ssh keys - /sub/ access

networking

I'm the newfound sysAdmin for a small web marketing firm, and have inherited responsibility for Linode as the host both for their web presence on one IP, and their development server on another (2 nodes).

I've been "webmaster" for my own sites running on Dreamhost but always solo, as a root user. Formerly, this firm hosted on Media Temple, and self hosted an Ubuntu dev and svn server. With the control panels on DH & MT at least, one is able to assign permissions to certain directories, and MySQL db for certain users.

This is important in the context of this organization, as they have a a half dozen development projects in process at any time, and any number of hired guns contributing to them.

Clearly, allowing root access to the entire server is undesirable.

So I've been digging into ssh keys, and command line access. As a first step, I generated RSA and DSA keys locally, and as root, created a user for myself in ~/home/ on the dev Linode.

Yesterday i tried to scp my public keys to ~/home/user/.ssh

Terminal stated -bash: cd: /.ssh: No such file or directory

despite issuing a mkdir command. However logged in via STFP, I can see /.ssh and my two public keys in it. I did not see this directory last night. There should not be time lag, and am puzzled by this.

Since my keys are now in /.ssh I just tried to log in via Terminal as my user, not root. I was still asked for the password I set when I created my user logged in as root.

I believe there are several commands that need to be issued as root to lock down the server and enable key access logins.

Q: Will that lock-down prevent SFTP access?

And further, to the point of my introductory statement, assuming as root that I create users for hired guns, how do I associate them with particular projects and MySQL databases?

Is this question, and my puzzle over the phantom /.ssh too vague, broad and deep to be asked here? I fear it is.

I'm hoping for some help, if not clarity, or suggested reading. I've been consulting library.linode.com for information, but it's not as granular as perhaps needed for a lightweight like myself.

cheers, mjb

12 Replies

~/home/user/.ssh would be "/home/user/home/user/.ssh".

in what context are you referring?

current directory structure is ~/home/user/.ssh and I can see that via an FTP client logged in as root.

to reiterate, the issue is, we will have users who need access to ~/var/www/projects/project and to MySQL on a user by project basis.

how best to do that, so that when project is complete, creds can be parked, or removed/revoked.

mjb

What he means is that ~ is shorthand notation for your home directory, e.g. /home/user

So ~/home/user/.ssh in fact expands to be "/home/user/home/user/.ssh"

OK, be that as it may, I'm still looking for clarity on the over-arching question of granting permissions to specific directories to specific users. I see that via https://manager.linode.com/user/index I can limit permissions to users, but that is on a more global basis. I can't see a way to limit access in a more granular way.

The Linode Manager isn't designed for that sort of thing. If you want a control panel so your users can manage individual files, administer databases and e-mail, etc., you will need to install one on your VPS. Some free software panels are ISPConfig, Virtualmin, Kloxo, and Domain Technologie Control (DTC). I haven't used any of these, so can't give a recommendation.

Thanks Vance, that's what I've come to recognize/understand.

I had signed up for a free cPanel 20 day license, but what I've also come to understand in reading pre-install documentation, is that it must be installed on a blank box. We currently have 21GB of project sites and MySQL databases being served on the node I'd like to run it on to put a face on all that back-end admin we need to do.

I can look into the panels you list, but to your knowledge (or anyone else's) will we run into a similar issue. That is, if we have data, will that preclude install.

cheers

Attempting to install a control panel on an already established server is generally a bad idea they will try to overwrite the various configurations with their own and any customisations may be overwritten.

If you really need a control panel then bring up a new node and migrate your projects to it, otherwise it's time to learn the command line!

Thanks obs, I appreciate you confirming my concern, and the suggested solution.

If you do want to spin up a new linode the swap if facility in the linode manager means you don't need to fiddle with dns.

anyone have experience with OpenPanel?

http://www.openpanel.com/

What is CFS? And why would it be against the TOS?

@hoopycat:

What is CFS? And why would it be against the TOS?

Better yet, who is peleus and why is he going around resurrecting 2+ year old threads?

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct