troubleshooting Question

SSH Keys Best Practices Guidance

Avatar of Brahmanatha
Brahmanatha asked on
SecurityLinux SecurityWeb Components
13 Comments8 Solutions380 ViewsLast Modified:
This is not really a problem requiring a solution, unless you consider ignorance a problem.  I am a newbie in the use of SSH keys. It's easy to find info on a) how to make them, b) how to install. But I'm still a bit in the dark on best practices of how to use them. So this is a "request for mentoring" post.

Context/Background:

Linux CentOS 6.2 Web server running  plain vanilla web server with VirtualMin/WebMin wrapper/control panel. Server lives with GoGrid in their data center in San Franscisco, CA
All web site(s) content reside in /home/someuser/public_html (multiple sites)
Admin can log in as root if he need to do anything anywhere outside of /home... which is actually very rare.
More typical daily requirement is done by logging in with SFTP in an FTP client, as a specific user into into one of the "web directories" (/home/ApplesAreFruitDomain/public_html/*)
Goals: 1.) I want to set up ssh keys on the machine here (in hawaii) so that the users on the LAN are not necessarily having to enter a user name and password for every log in.
2. For some users on the LAN, I only want them to be able access 1 or 2 of the web sites in /home... not all of them.
3. Occasionally you have the typical requirement to install the keys of some remote developer "rajan"  who lives in India/Brasil/Toronto etc.. to work on a single web site. then later revoke access.
What I know now: I create some key here on my local machine. copy the public key to the server, cd to a given directory then run the install command and I get an "authorized-keys" folder. mv the public key in there. All that much is info widely available on the net.

Questions

If you want an admin to be able to access *all* folders in /home, but nothing up the directory tree (no system file access) where do you put the authorized keys folder?
From the above you can see I assume that keys in a top directory grant access permissions to all keys in subdirectories below that one. Is this assumption correct?
The corollary is, to state the obvious, if we have "/home/BrillianMoon/.ssh/authorized-keys" then users coming in with matching private keys will only have access to the BrilliantMoon directory and sub tree folders/files. Please confirm
To put the question in a more vague open way: where is the best place to install authorized keys?

Please do not feel you need to limit your answers to the above scope. I looking for "best practices" from security veterans who make the use of SSH key a daily part of their working regimen.  I may have to split the points across a lot of answers. If you had 15 minutes to tell someone the best thing to do, what would you tell them?

Thanks (from someone who learned it all since 1986, "just by doing" but lacks any formal computer science education.)
ASKER CERTIFIED SOLUTION
Join our community to see this answer!
Unlock 8 Answers and 13 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 8 Answers and 13 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros