debops-wordpress icon indicating copy to clipboard operation
debops-wordpress copied to clipboard

Published 20 hours ago verified publisher icon carlalexander

Add cookbook

Open carlalexander opened this issue 9 years ago • 9 comments

It'd be good to add some recipes for some known situations:

  • [x] Overriding the default WordPress configuration
  • [x] Creating another sudoer user and locking down root
  • [ ] Creating an FTP user
  • [ ] Migrating an existing site

carlalexander avatar Jun 28 '15 11:06 carlalexander

Might not need to do a guide to create another sudoer user. debops bootstrap -u root created a sudo account for the account of my local machine.

carlalexander avatar Jul 22 '15 20:07 carlalexander

After talking with @drybjed a while ago, locking down root isn't ideal because some DebOps role need the root user.

carlalexander avatar Aug 04 '15 20:08 carlalexander

Started researching how to handle SFTP users with debops.sftpusers. The main issue is that you still need SSH keys to connect to the server. It's hardcoded into sshd_config in debops.sshd.

It's more secure, but has some serious draftbacks. The average WordPress user needs to give SFTP access to their clients. These clients aren't tech-savy and asking them to supply a SSH key isn't realistic.

Will have to take a look into how we can bypass that for that guide.

carlalexander avatar Aug 04 '15 20:08 carlalexander

@carlalexander If clients aren't tech-savvy, why do they need access to a UNIX account in the first place? You can create an account in WordPress CMS for them, which probably will end up with a password, hopefully random. But WordPress application should be reasonably secured by running php5-fpm daemon on separate user account. More security options, like AppArmor, will probably help as well in the future.

If you really want to use passowrds for SSH, you can enable password authentication in debops.sshd role, but I advise strongly against that. It's 2015, there are plenty of guides on how to create SSH keys, they can even be easier to use than passwords by using ssh-agent to keep the passphrase handy for the user.

drybjed avatar Aug 04 '15 20:08 drybjed

I want passwords for SFTP users. Not regular Unix users. That I understand, but you force it even for SFTP. It's this sections that can be loosened as far I could tell from looking around:

Subsystem sftp internal-sftp
Match group sftponly
        ChrootDirectory %h
        X11Forwarding no
        AllowAgentForwarding no
        AllowTcpForwarding no
        PasswordAuthentication no
        AuthorizedKeysFile {% if monkeysphere is defined and monkeysphere %}{{ sshd_authorized_keys_monkeysphere | default('/var/lib/monkeysphere/authorized_keys/%u') }} {% endif %}{% if sshd_authorized_keys_global is defined and sshd_authorized_keys_global %}{{ sshd_authorized_keys_global | default('/etc/ssh/authorized_keys/%u') }}{% endif %}

        ForceCommand internal-sftp

carlalexander avatar Aug 04 '15 21:08 carlalexander

@carlalexander Yeah, you're right, it cannot be changed right now. I guess debops.sshd is overdue for an update, I wanted to convert the sshd_config file to be assembled from parts; that way other roles could drop in their own Match sections, for example. I'll try to update it soon.

drybjed avatar Aug 04 '15 22:08 drybjed

@drybjed Yeah, that'd be great. I think it would be fair if debops.sftpusers could create regular passwords for the users too.

carlalexander avatar Aug 05 '15 01:08 carlalexander

any progress on the ftp users? i use root to upload and then have to chown -R www-data:www-data the uploaded files

cezarneaga avatar May 24 '17 10:05 cezarneaga

No progress yet @cezarneaga. Trying to wrap up all my other documentation issues first 😞

carlalexander avatar May 24 '17 12:05 carlalexander