Page 1 of 1

Create SSH access for my developer - HOW?

Posted: 2020/11/20 23:51:00
by iwas9409
I have a new Centos 7 cloud server.

I have hired a developer to setup the server to serve PHP, mySQL web app.

The developer needs SSH-Root access.

I have Root SSH access, BUT I am guessing I should create new SSH user account for the developer.

What are the SSH commands for me to create a new user for my developer?

Thank you in advance...from a guy learning about server access for a developer.

-Tom

Re: Create SSH access for my developer - HOW?

Posted: 2020/11/21 11:27:02
by KernelOops
Root is only one, so you need to share the same account, by using two different ssh keys.

The file /root/.ssh/authorized_keys should already contain your own public key. All you need to do, is add your developers public key and he'll get full root access to the server.

So first step, is to ask him for his public key, second step is to add it to your authorized_keys file.

Re: Create SSH access for my developer - HOW?

Posted: 2020/11/21 15:32:39
by jlehtone
The best practice is to completely disable login as root.

Create normal account for each user. Give those accounts permission to use 'sudo'.

Re: Create SSH access for my developer - HOW?

Posted: 2020/11/21 17:21:18
by KernelOops
sudo is for the weak minded and those who don't really know what they are doing :mrgreen:

Re: Create SSH access for my developer - HOW?

Posted: 2020/11/21 21:27:41
by iwas9409
@KernelOops do you have a best practice recommendation?

Re: Create SSH access for my developer - HOW?

Posted: 2020/11/21 21:43:13
by KernelOops
I was just making fun with my last comment.

In a more serious note, the recommendation to use sudo is valid in some cases when you MONITOR ssh access, thus separate accounts get their own login session logged separately, while if you ssh as root, then there is no separation between admin logins. In other words, you know what you are doing and you have a monitor system in place, so use sudo. For everyone else, sudo is just a stupid extra step to becoming root. So my best practice suggestion, is to not use sudo, it will just confuse you by prefixing sudo on your commands.

Another reason why sudo is stupid, is because these days serious management is being done with tools like Ansible, no need to login to 100+ servers to run a command or to change some config file. Ansible offers a reliable, documented, smooth and secure way to manage servers.

It makes me smile when I see people sudo this... sudo that... sudo the next.. wtf people.

Re: Create SSH access for my developer - HOW?

Posted: 2020/11/21 21:47:27
by iwas9409
Thanks, So do i give my developer the root username/password?

What do you recommend to get developer(s)access to the server?

Re: Create SSH access for my developer - HOW?

Posted: 2020/11/21 22:05:17
by TrevorH
No, you don't give anyone the root credentials. You set up a user for them, you give them sudo access to run anything that does need root ability as that is logged and you can keep track of what they're doing.

Re: Create SSH access for my developer - HOW?

Posted: 2020/11/21 22:16:46
by iwas9409
Ok...so to setup a new user I do this...right?

adduser mynewuser
Then setup a password for the new user...passwd mynewuser

I need the developer to setup the sever a a web serve: Apache, PHP, MySQL. and move the laravel files up to the server. They are in GitHub.

How do I give this new user sudo access to run anything that does need root ability?
I have found somewhere that I might have to tweak visudo to include:
## Allow root to run any commands anywhere
mynewuser ALL=(ALL) ALL

Re: Create SSH access for my developer - HOW?

Posted: 2020/11/22 11:38:37
by jlehtone
If you really want the developer to be able to run all commands as any user, then it is easier to just add the account to group 'wheel' (and not edit any sudoers config).

The 'useradd' command has option '--groups' to do that.
If you have already created the account, then command 'usermod' is the tool to change group memberships.


However, services like Apache, PHP, MySQL have three parts:
1. The packages that have to be installed. Note that if you grant just the right to run 'yum' as root, you do already make it possible to run all commands as any user via installing a suitable (self-written) package.
2. Configuration of the service. This usually requires admin access.
3. Content. "Moving files to server." This does not require admin access.

Could you collaborate with your developer so that you do the steps 1 and 2 and she focuses on the 3?