Add SSH Login For Client

Take a look at this issue of Servers For Hackers where @fideloper covers creating users and security - https://serversforhackers.com/editions/2014/06/03/initial-security/

Hi @ericbarnes! Thanks for that article! I have signed up to get @fideveloper's book, but hadn't thought of looking through past articles. :)

It covers everything, with exception of limiting a user to only a specific directory (and any directories it contains), that I could tell. Any thoughts on how that is best achieved?

Looking at getting the user set up, I would want to do the following:

• add new user to group "forge", (will this allow them to edit their website files in the forge home folder?)
• restrict the new user's access to their website folder within the forge home folder (not sure how to do this)

The reason this is important, is because I have multiple client sites on a single forge server.

It sounds like you want to set up a chroot environment for your customer: https://en.wikipedia.org/wiki/Chroot

I think you'll be fighting Forge in a few ways by doing a multi-user setup that way. Forge always uses user Forge, and assumes files that it needs to edit are either in the Nginx/PHP configuration or within the Forge users home directory.

Setting up new users, etc, might mean that you'll lose some abilities to edit their config (etc) from the Forge control panel. That being said, you'll probably (?) still be able to do things like setup Git hooks, etc.

Definitely read/understand/practice playing with users, groups and permissions. That'll be key to understanding limitations/barriers and ways to make it work.

Then check out to see if you want to make multiple PHP-FPM "resource pools", so that the same set of processes aren't being used on multiple client sites. This isn't necessary but is better for security - PHP won't be sharing any memory/state with multiple applications if you setup a different resource pool per user.

The issue here is that each user will have their own home directory (/home/usersnamehere/). You should have it setup so that users can only edit files in there (that's the "easy" part). The hard part is that user "forge" won't necessarily be able to do anything to files in there.

You can set that up with with group permissions so that user "forge" can edit files in other users' home directories, but I'm not sure how well Forge's GUI interfaces play with that.

Thanks @fideveloper for taking the time to weigh in on this topic. :) For now I forwent (past of forgo? ;-P) setting up a new user and just used the forge user, remaining the only user on the block, as messing with it seemed like it might open a can of worms. I did create a new separate SSH key to use that to log in though, so if I ever need to cut that client off, all I need to do is remove the ssh key from Forge, and all is good. :)

@EmilMoe I haven't played with that yet, but as mentioned, I have found a SSH solution that seems to do the trick. Thanks for offering advice, though. :)

Remember, SSH allows users to do anything on that system (unless chroot is used, which is like an OS in an OS). If you've only supplied them a key to use and you can disable the public key in .ssh, that will work (if that's what you want).

Yea, I know they could wreak havoc if they figured it out. But I had to get the system up and running. Will look into a more secure solution for the long-term. Perhaps set up FTP to a single directory. Although I wanted to use SFTP, but of course needed to set up more system users for that.

FTP to a single directory would be a little more secure in my opinion, rather than SSH. That way they can't wreck everything.

@Istables agreed :)

For your reference, I know Proftpd have the option to chroot users to their home directory.

@bashy thanks for that info! :)