Securing EE: RSA Key login... How to handle WWW-DATA SFTP?

ben74 · August 24, 2016, 10:18am

Hello guys,

Here is an issue that I’m pretty sure some of you have solved Anyway here is the problem:

Ubuntu secured, no root SSH login allowed, new user added and RSA key authentication put in place for new user
Now comes an issue… I can’t SFTP to the server using www-data user (as SSH login has been disabled). So apparently I should install the RSA Key for the www-data user as well (?)

I don’t know how to solve this…

Should I do this:

create a .ssh/authorized_keys inside the var/www folder and then
nano /var/www/.ssh/authorized_keys to add my RSA key and
chmod 400 /var/www/.ssh/authorized_keys

Thanks a lot, as you can guess my linux kung-fu is… well minimal

Cheers,

janiosarmento · August 24, 2016, 12:48pm

I don’t understand why people do think disabling password SSH login is some kind of “best practice”.

I’d allow password login and use Fail2Ban to automatically block IPs with excessive password errors. Search for “fail2ban”, there are several threads about it in this forum.

ben74 · August 24, 2016, 3:22pm

yep, and fail2ban was installed with my current setup…

I’ll do that instead, a lot less headache since Filezilla and Transmit are giving me headaches too when trying to configure a key…

Thanks for confirming it’s a bit overkill !!

mikeslv · August 25, 2016, 3:16pm

Hi @ben74

I’m also looking to find a solution for this. I have the same problem. Did you find a way?

Note: @janiosarmento Fail2Ban is very good… but not perfect and all measures that can be taken to further secure a server are always welcome. In my opinion, disable password login is a good security practice.

janiosarmento · August 26, 2016, 3:16am

It depends on your scenario.

I think good passwords (strong and long enough) are way more useful (for my needs) than disabling password login.

But we all know what’s better for each of us, right?

system · November 9, 2018, 1:50pm