Securing EE: RSA Key login... How to handle WWW-DATA SFTP?


#1

Hello guys,

Here is an issue that I’m pretty sure some of you have solved :wink: Anyway here is the problem:

  1. Ubuntu secured, no root SSH login allowed, new user added and RSA key authentication put in place for new user
  2. Now comes an issue… I can’t SFTP to the server using www-data user (as SSH login has been disabled). So apparently I should install the RSA Key for the www-data user as well (?)

I don’t know how to solve this…

Should I do this:

  • create a .ssh/authorized_keys inside the var/www folder and then
  • nano /var/www/.ssh/authorized_keys to add my RSA key and
  • chmod 400 /var/www/.ssh/authorized_keys

Thanks a lot, as you can guess my linux kung-fu is… well minimal :wink:

Cheers,


#2

I don’t understand why people do think disabling password SSH login is some kind of “best practice”.

I’d allow password login and use Fail2Ban to automatically block IPs with excessive password errors. Search for “fail2ban”, there are several threads about it in this forum.


#3

yep, and fail2ban was installed with my current setup…

I’ll do that instead, a lot less headache since Filezilla and Transmit are giving me headaches too when trying to configure a key…

Thanks for confirming it’s a bit overkill !!


#4

Hi @ben74

I’m also looking to find a solution for this. I have the same problem. Did you find a way?

Note: @janiosarmento Fail2Ban is very good… but not perfect and all measures that can be taken to further secure a server are always welcome. In my opinion, disable password login is a good security practice.


#5

It depends on your scenario.

I think good passwords (strong and long enough) are way more useful (for my needs) than disabling password login.

But we all know what’s better for each of us, right?


#6