12

I am on Amazon EC2 using Ubuntu 10.04.2

My web folder is owned by www-data so I want to be able to log into my server as www-data for ssh and scp.

Thanks!

Adding the line to my /etc/ssh/sshd_config does not seem to work.

AllowUsers www-data
ambiguousmouse
  • 293
  • 1
  • 3
  • 7

4 Answers4

7

On Debian, which Ubuntu is based on, the www-data user has /bin/sh as the default shell. To enable SFTP, you can create /var/www/.ssh/authorized_keys with you public key in it. The permissions on /var/www/.ssh should be 700, and the permissions on the authorized_keys file should be 600. You'll want to add the following to your http configuration to prohibit access to this directory.

<Directory /var/www/.ssh>
  Order Deny,Allow
  Deny from all
</Directory>

You can verify the www-data users settings (home dir, shell, etc) using getent passwd www-data.

Make sure your sshd_config has Subsystem sftp /usr/lib/openssh/sftp-server, and you'll probably want to set PasswordAuthentication no also.

slillibri
  • 1,643
  • 1
  • 9
  • 8
2

This is kind of insecure. I would suggest you to upload to an intermediate area using another user and run a cron job from time to time to move stuff where it belogs and change its permissions accordingly.

If you really insist on logging on as www-data, you must use a ssh private key to do that (AFAIK EC2 instances only allow key authentication). You must also check that www-data has a valid shell on /etc/passwd and a valid home dir.

In the end, you can also try some solutions of this question.

Community
  • 1
coredump
  • 12,713
  • 2
  • 36
  • 56
  • I was planning on using a ssh private key to do that. But if I use cron to copy the files over, wouldn't it be a bit slow because I would have to wait for the cron script to copy it over. Also, I wouldn't be able to upload files. What I really want is something like FTP for www-data but secure like scp. – ambiguousmouse Apr 18 '11 at 00:11
  • The other solutions I give are feasible, I only don't like the idea. – coredump Apr 18 '11 at 00:39
0

A cleaner way to do this, without relying on cron jobs to do the actual work of placing the files in the documentroot, is to make your "regular" SSH account a member of the www-data group

# add your current user to www-data group
sudo usermod -a -G www-data myusername
# restore standard user/group ownership on your webserver documentroot
sudo chown -R root:www-data /path/to/your/webserver/documentroot

This way the myusername user will have read/write access to the webserver root directory.

Community
  • 1
mp04
  • 187
  • 8
  • 2
    ⚠ **WARNING** ⚠ `sudo usermod -G` replaces all of your groups. You want `sudo usermod -a -G`. I almost lost `sudo` access on my server. – Aido Feb 28 '21 at 21:50
-4

Logging in as www-data for scp is waste of time.

For the scp command why you dont use ssh2_scp_send for transferring files,it is simple and doesn't need you to add-ssh or create a public key for the user www-data

for example

ssh2_scp_send($connection, '/directory/filename', '/remotedirectory/filename', 0644);

should work

Journeyman Geek
  • 6,977
  • 3
  • 32
  • 50
mystery
  • 1