SSH Keys access for multiple developers

[ragu1059]

Hey!

I work with a team of developers on multiple websites. Each website has it's own cPanel account. Everyone is making their own FTPs for each cpanel account but this is a pain when someone joins/leaves as we have to go through everything and delete their FTP accounts etc. So we thought of using SSH keys - i was wondering if it was possible to create a SSH key and add it to each account. I can use the skeleton directory for new cpanel accounts and run a command for other ones but then i get Pam auth error so i'm guessing it won't allow me to use a SSH key on another cpanel account even if i add it to authorised_key file.

Anyone have suggestions or even better, a smarter way of doing it?

Thanks!

 

[rackaid]

I think this is what you are doing but not sure how you were automating it. But outside of using a full key management system, here is a simple system.

Give each of your devs their own key. Make sure they use a good passphrase on the key. Then create an authorized_keys file containing each key from your devs.

You add the auth key file to each cPanel account. Your devs would then login using the cPanel's account user name but are authenticated with their own key.

I also recommend making sure the key is annotated (ssh-keygen does this automatically). This way you can tell who the key belongs to

ssh-rsa AAAAB3NzaC1yc2EAAA...zAiVaOFy5Lwc8Lo+Jk=  Fred @ Project FOOBAR

In case of staff changes, you would need to refresh your authorized-keys files, but that can be automated via scripting if needed.


Also, there are some server-side key options:

OpenSSH/Client Configuration Files - Wikibooks, open books for an open world

en.wikibooks.org

A couple of useful ones is setting an expires date and the from option.

With the from option, you can limit which IPs can use the key. This may not be as useful for web dev, but for sysadmin work using a jumpbox, this is useful.

The expires can cause a key to timeout. Just make sure you have one key that never time's out. This way you can auto-expire dev keys if you wanted to.

As with any system, there are risks. If a web dev's key is compromised, the attacker can access all of the accounts. So once access is not needed, I recommend removing the unused keys.

 

[cPanelLauren]

Another thing to note here is that cPanel allows SSH access for the cPanel user only, cPanel does not support multiple cPanel users so I'm not seeing how this would be a viable solution in a supported manner.

cPanel does have Manage SSH Access where you can generate an SSH key, but if one developer needed access to multiple accounts they would need different SSH keys for each account - you would also not want to have one SSH key for all users.