I'm not a Developer by trade, but I have worked closely with our Dev team for almost 6 years. I have been pushing and vetting their DB changes for prod, but we were acquired and a DevOPs team will take that and I will be free! LOL I really like our Dev team so it wasn't a chore. I got a lot of good karma being there late with them in order to support them from the systems and db side for releases. Bought me a lot of free questions when trying to troubleshoot system issues.
I'm getting deeper into Python and I have a Dev Linux VM I spun up that has all my Python stuff on it. I am using the VSCode SSH extension to remotely modify code. I haven't ever actually developed over SSH. I write most of my stuff in PS, so haven't needed to.
The way I have always handled SSH security is –
- I create a base user who can only SSH and see their Home directory (they connect with a key pair)
- Then when that user is in, you have to know the admin name / pass, then su into that account to do anything high level.
Using the VSCode SSH extension means I can't utilize that second level of security. Which makes me wonder how Developers typically handle security when they need to Develop over SSH rather than have a repo they are checking code in and out of.
If I create a user for Developing over SSH, they will need to be able to do
- Connect via SSH
- Have read and write on code files.
You don't have the ability to separate access, in this case SSH and read / write on sensitive files. What is typically done in situations like this? And I understand it isn't common to develop over SSH directly on a server.
My thought would be to dynamically control directory level access. Have a group that can access certain directories, but not directories with more sensitive info. So in a case where you have a folder structure like;
+ Parent - Sub1 - Sub2 - Sensitive
You dynamically give a group access to Sub1, Sub2, and all future folders, but never Sensitive.