SSH deployment user accounts

Print Friendly, PDF & Email

We currently have an issue with fabric and ssh remote access due to the fact that we don’t want to put our UoB user accounts credentials into scripts. It seems logical to allow the project user account, commonly used for running cron jobs, to be able to SSH using public key authentication. Access can be restricted in authorized_keys files but not policed very well centrally. If these keys were deployed automatically with bcfg2, contents and directory permissions could be controlled and verified.

However, if we were to enable this account we have a problem with the default permissions scheme we use on top level project folders; 2775. Sshd, with the default setting of “StrictModes on” will not allow public-key authentication when the users home directory is group writable. The options as far as I can see are:

  1. Turn off StrictModes – sshd would stop checking permissions, but this introduces a security risk where a group/world writable authorized_keys file could be compromised by another user.
  2. Relocate the user account or create a new user account with a home directory elsewhere on the filesystem so the permissions can be set correctly. Problem is twofold in that more user account management is needed when it’s already thought that it’s too complicated and project data would need to exist outside of the project folder.
  3. Remove the group writable permission on the top level project folder, e.g. /usr/local/projects/project. Group writable permission remains for standard sub-directories, e.g. bin, etc, var, lib, … Would have the downside that developers would not be able to create top level folders without using sudo. Bcfg2 currently gives members of a group sudo rights to run commands as the user of the same name.

I feel that the last option is the least intrusive. A bit of logic would need adding to bcfg2 to ensure that if a project has a user account set in Properties then the group writable permission is removed from the top level folder. That wouldn’t be too difficult to do.