Generating SSH keys for 'apache' user

php apache git github ssh-keys

57,585

Solution 1

As you are root, you can try it sudo -u apache ssh-keygen -t rsa

Solution 2

You may have to copy the root generated keys in the .ssh directory of your apache user.

Assuming the homedir of apache is /var/www (check /etc/passwd) and the named key is id_rsa-git :

mkdir -p /var/www/.ssh/
cp /root/.ssh/id_rsa-git /var/www/.ssh/id_rsa

No need to copy the public key.

Note : by default the key used are id_rsa or id_dsa. You may change the name of the copied key to match this.

You may also change ownership of the id_rsa key and .ssh directory:

chown -R apache:apache /var/www/.ssh
chmod 0700 /var/www/.ssh
chmod 0600 /var/www/.ssh/id_rsa

Solution 3

Just posting the comment of @KitCarrau, under yvan's answer, that worked for me

sudo -u apache ssh-keygen -t rsa

for debian

sudo -u www-data ssh-keygen -t rsa

after this click Enter twice, to skip passphrase

also, it suggests to create the public/private keys in /var/www/.ssh directory, even if I had my www direcotry in /home/my_user/www, that is fine.

Solution 4

The existing answers are either incomplete or insecure. If you put your .ssh directory into the home directory of the apache user (/var/www) then this will also most likely serve the contents of that directory and thus expose your ssh private key to the public web. To prevent this you'd have to configure apache not to serve the .ssh directory but none of the existing answers explains how to do this.

I'd also argue that it is still dangerous to have your .ssh directory be a subdirectory of your publicly served www-root because even if you add a rule to your apache config, upgrading the server or doing unrelated other configurations might override this rule without you noticing.

So here is an answer that puts the key elsewhere, where it is not served by apache by default. There is not even the need to ever become the www-data user as others are struggling with.

First, find out the home directory of our apache user, for example by looking into /etc/passwd and looking for the www-data user or however the apache user of your distribution is called. The home directory is likely /var/www.

Then run (replacing /var/www with the home directory of the apache user on your setup):

$ mkdir "$HOME/www-data.ssh"
$ ssh-keygen -q -t rsa -f "$HOME/www-data.ssh/id_rsa" -N ""
$ chown -R www-data:www-data "$HOME/www-data.ssh"
$ mkdir /var/www/.ssh
$ cat << END > /var/www/.ssh/config
> Host *
>     IdentityFile $HOME/www-data.ssh/id_rsa
> END
$ chown -R www-data:www-data /var/www/.ssh

Now your www-data user will use the ssh key in $HOME/www-data.ssh/id_rsa for all its ssh connections and since your $HOME is probably different from /var/www, that directory will not be served. So even without adding any custom rules to apache, users will be able to see your .ssh/config but they will not be able to access the private key it points to. Nevertheless, your www-data user will know how to do it.

Solution 5

I don't know if this will work on redhat (I assume that is what you're running) however, I was able to su to www-data (the apache user for debian) by executing the following:

sudo su www-data

it actually worked shrugs go figure

View more solutions

57,585

Author by

Kit

Updated on July 23, 2022

Comments

Kit almost 2 years
How do I add SSH keys for 'apache' user in Linux?

BACKGROUND

I am trying to add a service hook to github to notify a URL once I push to my repo. I have the following php page set up:
```
<?php `git pull origin master`;  
```
However I get the following output:
```
sh: git: Permission denied
```
This is because the keys I generated for github access were generated by my 'root' user. However when I exectue a command from php it is the 'apache' user that runs it.

The keys therefore do not correspond and permission is denied to pull.

As I cannot switch user from the terminal to generate keys as 'apache', I am not too sure what to do. Can anyone suggest a solution?
Kit over 12 years

Hi. su -apache outputs This account is currently not available.. Any ideas?
yvan over 12 years

Are you sure that the user is apache, sometimes its can be httpd or www-data.
yvan over 12 years

I'm not sure, but it's not very safe to do it or is it ?
Vincent over 12 years

It will only tell that the apache user will be able to use a ssh-key. The security is not done at the user-level (where the keys are generated) but at the server level (where the keys are used to authenticate). Nonetheless you have to chown the keys to the apache user... (will update the post)
Kit over 12 years

Yes, I have tested with echo shell_exec('whoami'); Output is apache.
Kit over 12 years

@Vincent. Thanks. I have copied the private key to /var/www/.ssh/id_rsa however, I still receive the permission denied error.
yvan over 12 years

The This account is currently not available.its because your apache user doesn't have shell.
Tarek Fadel over 12 years

Give the user apache a shell in /etc/passwd although I'm not sure about the security implications that my have.
Kit over 12 years

@Vincent. I have also tried generating fresh keys, updating github and /var/www/.ssh/id_rsa but still not luck.. Any ideas?
Vincent over 12 years

As I can see on help.github.com/linux-set-up-git, you have to authenticate on github as the git user (not apache or root...). You may investigate more... try 'su - apache' then 'ssh -T [email protected]'. If the key config is correct you might have a welcome message... If not, there still is a problem.
Vincent over 12 years

you may try using the ~/.ssh/config file to tweak the ssh parameters of apache...
Kit over 12 years

I finally solved it. I used sudo -u apache ssh-keygen -t rsa to generate keys for 'apache'. Thank you.
nthall over 10 years

This is potentially a big security hole. See this serverfault question for info on possible risks.
dkinzer over 10 years

Yeah I gave this technique up a while back and opted to use a specific user not related to the apache user.