May 29, 2021

How do you typically handle Access Rights for developing over SSH?

How do you typically handle Access Rights for developing over SSH?

I'm not a Developer by trade, but I have worked closely with our Dev team for almost 6 years. I have been pushing and vetting their DB changes for prod, but we were acquired and a DevOPs team will take that and I will be free! LOL I really like our Dev team so it wasn't a chore. I got a lot of good karma being there late with them in order to support them from the systems and db side for releases. Bought me a lot of free questions when trying to troubleshoot system issues.

I'm getting deeper into Python and I have a Dev Linux VM I spun up that has all my Python stuff on it. I am using the VSCode SSH extension to remotely modify code. I haven't ever actually developed over SSH. I write most of my stuff in PS, so haven't needed to.

The way I have always handled SSH security is –

  • I create a base user who can only SSH and see their Home directory (they connect with a key pair)
  • Then when that user is in, you have to know the admin name / pass, then su into that account to do anything high level.

Using the VSCode SSH extension means I can't utilize that second level of security. Which makes me wonder how Developers typically handle security when they need to Develop over SSH rather than have a repo they are checking code in and out of.

If I create a user for Developing over SSH, they will need to be able to do

  1. Connect via SSH
  2. Have read and write on code files.

You don't have the ability to separate access, in this case SSH and read / write on sensitive files. What is typically done in situations like this? And I understand it isn't common to develop over SSH directly on a server.

My thought would be to dynamically control directory level access. Have a group that can access certain directories, but not directories with more sensitive info. So in a case where you have a folder structure like;

+ Parent - Sub1 - Sub2 - Sensitive 

You dynamically give a group access to Sub1, Sub2, and all future folders, but never Sensitive.


submitted by /u/PartTimeTulsa
[link] [comments]