Login Key for Laravel developer

gonzalomassa

Verified User
Joined
Feb 24, 2015
Messages
6
Hello!

I'm not sure if this is the right forum to ask this, feel free to move the post to the right place.

I've a CentOS 7 VPS where we're going to host our new website. The server is actually used for a Moodle installation but it's under a subdomain controlled by another user, so the main domain's public_html folder is still empty and has no website inside.

The site is being developed with Laravel by an external developer, so we need to give him SSH access to our server. Like I said there is no current website hosted so we're not worried about content that could be deleted in the public_html folder, but we would like to restrict access to the server's administrative tools and files, like DirectAdmin access, custombuild folder, or anything that could be used to change or modify server configurations.

I've never used Login Keys but I think it's the way to give him access, right? The main questions that come to my mind are:

- Given it's the server's main domain we need to give access to, the Login Key has to be created for the "admin" user, right? (login as admin user > user level > login keys)
- When creating the Login Key it says If no commands are checked (allow and deny), all commands are allowed., but what if I select some checkboxes for "allow" and leave the rest unchecked? Do I need to check the "deny" for everything else?
- Which commands should I select to allow the user to login via ssh and run commands like git, php/composer, etc? (I'll install git client, no need to give him access to install software on the server).
- Is there anything else I can do to restrict access to other folders outside the user's home folder?

I hope I've asked the right questions and not give you too much work to answer them. Is this the right approach?

Thank you in advance, sorry for my english :)
 
Hello,

Login Keys in Directadmin has nothing to do with connecting over SSH. Login keys are used only for connections to Directadmin.

Directadmin does not offer tools to restrict access over SSH. You should configure a chroot`ed access over SSH for your developer. Directadmin does not offer it either. It used to offer a script for it, but as far as I know it's not working.

See you can specify ChrootDirectory in /etc/ssh/sshd_config together with Match

ChrootDirectory

Specifies the pathname of a directory to chroot(2) to after authentication.At session startup sshd(8) checks that all components of the pathname are root-owned directories which are not writable by any other user or group.After the chroot, sshd(8) changes the working directory to the user's home directory.

So it's fully up to you to find a working solution, you can use "ssh chroot" as a key-word for searching in Internet.

This one can help you:

- https://allanfeid.com/content/creating-chroot-jail-ssh-access

BUT DO NOT FOLLOW THE GUIDE UNLESS YOU KNOW FOR SURE WHAT YOU ARE DOING!
OR YOU MIGHT LOCK YOURSELF OUT OF SSH ACCESS TO YOUR SERVER
 
Alex,

I'll do some research on the matter before doing anything on my server, thanks for the link and the explanation.

It is obvious that you are a very valuable member of this community, thank you for taking the time to answer this question, even if it is not related to DirectAdmin (I really thought it was).

Regards,
Gonzalo
 
Back
Top