Potential issues with SSH public key (and parent folder) permissions

[lnevo]

The default directory for SSH keys /var/www/meta/.ssh is not a good one as the permissions are 6775. You will need the owner to be root and the permissions at 6755 in order for a key in that folder to work. The folder permissions change after reboot. It should be moved elsewhere that it can have secure ownership.

[jessuppi]

@lnevo Thanks for your research and feedback!

Current permissions for the /meta/ directory are: drwsrwsr-x 3 www-data www-data 4096 Dec 6 00:02 meta

Originally we didn't want to use the /home/ directory for keys, to keep SlickStack as self-contained as possible, and because only a single sudo user and single domain is supported on every server, anyways. I figured that it would help alleviate any concerns with creation of users (etc) and create a reliable static path for the SSH key files.

However, I'm not sure if that is the best approach or not, as per industry standards and user expectations.

One option would be a new folder like /var/www/ssh or something. Right now the /meta/ directory is sort of our location for files that don't really have anywhere else to go.

[jessuppi]

So reviewing the permissions topic more, I found in the Ubuntu docs that .ssh folder should be 0775 and the public key being used for SSH connections within that folder should be 0664.

However I saw a few answers on Stack Exchange that suggested 0700 and 0600 instead:

https://askubuntu.com/questions/466549/bash-home-user-ssh-authorized-keys-no-such-file-or-directory https://askubuntu.com/questions/46424/how-do-i-add-ssh-keys-to-authorized-keys-file

Since the SlickStack folders are more susceptible to attacks (located under /var/www instead of /home) then I'd prefer using tighter CHMOD permissions if possible, if it doesn't break anything.

Perhaps the warning (or etc) you saw is because of that 6 on the front of the permissions, which was due to some lazy initial permissions rules we had earlier during testing, etc.

Also we've changed the folder to /var/www/meta/shell for now to be more generic, to avoid naming confusion. However this might end up working better if we take the whole thing out of the meta folder entirely.

[jessuppi]

For now we'll use the Ubuntu-recommended permissions even though the folder is different in our case:

https://github.com/littlebizzy/slickstack/blob/master/bash/ss-perms-ubuntu-ssh.txt

And here is our new installation process for SSH keys:

https://github.com/littlebizzy/slickstack/blob/master/bash/ss-install-ubuntu-ssh.txt

I will keep this Issue open a while longer in case anyone has feedback on the files, folders, or permissions (etc) related to using SSH keys in SlickStack but I'd really like to avoid using the /home directory if at all possible.

If general problems with our SSH key process, consider a new Issue.

[jessuppi]

Update: so after 2 days of exhaustive testing, I can confirm that when using a centralized auth keys location file (instead of the default location under each user's home directory) the following permissions are required:

chown root:root /var/www/meta/shell ## must be root:root (centralized keys)
chmod 0755 /var/www/meta/shell ## must be 0755
chown root:root /var/www/meta/shell/authorized_keys ## must be root:root (centralized keys)
chmod 0644 /var/www/meta/shell/authorized_keys ## must be 0644

...this is now reflected in our ss-perms-ubuntu-ssh script: https://github.com/littlebizzy/slickstack/blob/master/bash/ss-perms-ubuntu-ssh.txt

Interestingly this is different than what I understood from the Ubuntu docs (apparently focused on default locations) and also different from what most devs recommend, too.

The following thread helped a ton: https://serverfault.com/questions/313465/is-a-central-location-for-authorized-keys-a-good-idea