Generating SSH keys for 'apache' user
Solution 1
As you are root, you can try it sudo -u apache ssh-keygen -t rsa
Solution 2
You may have to copy the root generated keys in the .ssh directory of your apache user.
Assuming the homedir of apache is /var/www (check /etc/passwd) and the named key is id_rsa-git :
mkdir -p /var/www/.ssh/
cp /root/.ssh/id_rsa-git /var/www/.ssh/id_rsa
No need to copy the public key.
Note : by default the key used are id_rsa or id_dsa. You may change the name of the copied key to match this.
You may also change ownership of the id_rsa key and .ssh directory:
chown -R apache:apache /var/www/.ssh
chmod 0700 /var/www/.ssh
chmod 0600 /var/www/.ssh/id_rsa
Solution 3
Just posting the comment of @KitCarrau, under yvan's answer, that worked for me
sudo -u apache ssh-keygen -t rsa
for debian
sudo -u www-data ssh-keygen -t rsa
after this click Enter twice, to skip passphrase
also, it suggests to create the public/private keys in /var/www/.ssh
directory, even if I had my www direcotry in /home/my_user/www
, that is fine.
Solution 4
The existing answers are either incomplete or insecure. If you put your .ssh
directory into the home directory of the apache user (/var/www
) then this will also most likely serve the contents of that directory and thus expose your ssh private key to the public web. To prevent this you'd have to configure apache not to serve the .ssh
directory but none of the existing answers explains how to do this.
I'd also argue that it is still dangerous to have your .ssh
directory be a subdirectory of your publicly served www-root because even if you add a rule to your apache config, upgrading the server or doing unrelated other configurations might override this rule without you noticing.
So here is an answer that puts the key elsewhere, where it is not served by apache by default. There is not even the need to ever become the www-data
user as others are struggling with.
First, find out the home directory of our apache user, for example by looking into /etc/passwd
and looking for the www-data
user or however the apache user of your distribution is called. The home directory is likely /var/www
.
Then run (replacing /var/www
with the home directory of the apache user on your setup):
$ mkdir "$HOME/www-data.ssh"
$ ssh-keygen -q -t rsa -f "$HOME/www-data.ssh/id_rsa" -N ""
$ chown -R www-data:www-data "$HOME/www-data.ssh"
$ mkdir /var/www/.ssh
$ cat << END > /var/www/.ssh/config
> Host *
> IdentityFile $HOME/www-data.ssh/id_rsa
> END
$ chown -R www-data:www-data /var/www/.ssh
Now your www-data
user will use the ssh key in $HOME/www-data.ssh/id_rsa
for all its ssh connections and since your $HOME
is probably different from /var/www
, that directory will not be served. So even without adding any custom rules to apache, users will be able to see your .ssh/config
but they will not be able to access the private key it points to. Nevertheless, your www-data
user will know how to do it.
Solution 5
I don't know if this will work on redhat (I assume that is what you're running) however, I was able to su to www-data (the apache user for debian) by executing the following:
sudo su www-data
it actually worked shrugs go figure
Kit
Updated on July 23, 2022Comments
-
Kit almost 2 years
How do I add SSH keys for 'apache' user in Linux?
BACKGROUND
I am trying to add a service hook to github to notify a URL once I push to my repo. I have the following php page set up:
<?php `git pull origin master`;
However I get the following output:
sh: git: Permission denied
This is because the keys I generated for github access were generated by my 'root' user. However when I exectue a command from php it is the 'apache' user that runs it.
The keys therefore do not correspond and permission is denied to pull.
As I cannot switch user from the terminal to generate keys as 'apache', I am not too sure what to do. Can anyone suggest a solution?
-
Kit over 12 yearsHi.
su -apache
outputsThis account is currently not available.
. Any ideas? -
yvan over 12 yearsAre you sure that the user is apache, sometimes its can be
httpd
orwww-data
. -
yvan over 12 yearsI'm not sure, but it's not very safe to do it or is it ?
-
Vincent over 12 yearsIt will only tell that the apache user will be able to use a ssh-key. The security is not done at the user-level (where the keys are generated) but at the server level (where the keys are used to authenticate). Nonetheless you have to chown the keys to the apache user... (will update the post)
-
Kit over 12 yearsYes, I have tested with
echo shell_exec('whoami');
Output isapache
. -
Kit over 12 years@Vincent. Thanks. I have copied the private key to
/var/www/.ssh/id_rsa
however, I still receive the permission denied error. -
yvan over 12 yearsThe
This account is currently not available.
its because your apache user doesn't have shell. -
Tarek Fadel over 12 yearsGive the user
apache
a shell in/etc/passwd
although I'm not sure about the security implications that my have. -
Kit over 12 years@Vincent. I have also tried generating fresh keys, updating github and /var/www/.ssh/id_rsa but still not luck.. Any ideas?
-
Vincent over 12 yearsAs I can see on help.github.com/linux-set-up-git, you have to authenticate on github as the git user (not apache or root...). You may investigate more... try 'su - apache' then 'ssh -T [email protected]'. If the key config is correct you might have a welcome message... If not, there still is a problem.
-
Vincent over 12 yearsyou may try using the ~/.ssh/config file to tweak the ssh parameters of apache...
-
Kit over 12 yearsI finally solved it. I used
sudo -u apache ssh-keygen -t rsa
to generate keys for 'apache'. Thank you. -
nthall over 10 yearsThis is potentially a big security hole. See this serverfault question for info on possible risks.
-
dkinzer over 10 yearsYeah I gave this technique up a while back and opted to use a specific user not related to the apache user.