How to give permissions to www-data to log in with ssh?

Question

I have an Ubuntu 14.04 server, where Apache runs as user www-data. I would like to be able to log into the server via ssh as www-data.

How can I define a password for www-data without breaking the Apache service?

How to add www-data to the list of allowed ssh users?

Edit

I understand from the question that was marked as duplicate, that it is not the most secure solution to give www-data access via ssh, but I need to do it for a different reason at least temporarily.

Here is the reason why I need to log into the server as www-data : I want my webserver to ssh into a remote host without providing a password. In order to be able to set this up, I need to log in as www-data, generate a ssh key and send it to that remote host.

This question has been asked many times, the link I gave is IMO most secure. You would not want to give ssh (shell access) to var-www — Panther, Nov 24 '15 at 17:53
@bodhi You are right, I found this question a couple of times, but the two sub-questions above were never clearly answered. — Lorenz Meyer, Nov 24 '15 at 18:33
If you do not have root access, talk to your web host / sysadmin — Panther, Nov 24 '15 at 18:35
No, please re-read my question. It does not refer to the hosting account, but to my physical server. — Lorenz Meyer, Nov 24 '15 at 18:37
you configure ssh in /var/www/sshd_config and set a password with passwd . — Panther, Nov 24 '15 at 18:40
@bodhi OK, I understand so far, but isn't it breaking the Apache service, when I set a password on www-data? (maybe a stupid question, but on Windows I would have to set that password in the service startup parameters) — Lorenz Meyer, Nov 24 '15 at 18:43

Lorenz Meyer · Accepted Answer · 2016-10-17T16:39:45.030

26

There are three things to do to allow a 'service user' like www-data to login via ssh.

Set a password for www-data
```
sudo passwd www-data 
```
Define a shell for www-data. You can do this using chsh or by editing /etc/passwd. Replace /usr/sbin/nologin or similar by /bin/bash on the line of the user.
Give permission for login via ssh, edit /etc/ssh/sshd_config and add the following line (do not forget to enumerate all the users that need ssh access)
```
AllowUsers www-data
```

edited Oct 17 '16 at 16:39

answered Nov 24 '15 at 20:43

Lorenz Meyer

431

2

It's essential to note "The permissions on /var/www/.ssh should be 700, and the permissions on the authorized_keys file should be 600." – Serhii Polishchuk Jan 18 '21 at 07:58
/var/www should also be 700. – Tyler Jan 13 '24 at 16:00
To debug permissions issues, run grep 'sshd' /var/log/auth.log – Tyler Jan 13 '24 at 16:07

How to give permissions to www-data to log in with ssh?

1 Answers1