From 2ee91f95e0877fa12880819a55aae7f1ed2fc8db Mon Sep 17 00:00:00 2001 From: continuist Date: Sat, 28 Jun 2025 13:13:22 -0400 Subject: [PATCH] Update the guide to allow DEPLOY_USER to use passwordless sudo --- CI_CD_PIPELINE_SETUP_GUIDE.md | 33 +++++++++++++-------------------- 1 file changed, 13 insertions(+), 20 deletions(-) diff --git a/CI_CD_PIPELINE_SETUP_GUIDE.md b/CI_CD_PIPELINE_SETUP_GUIDE.md index b0dc395..58a1462 100644 --- a/CI_CD_PIPELINE_SETUP_GUIDE.md +++ b/CI_CD_PIPELINE_SETUP_GUIDE.md @@ -238,7 +238,7 @@ On both Linodes, create the deployment user with sudo privileges: sudo useradd -m -s /bin/bash DEPLOY_USER sudo usermod -aG sudo DEPLOY_USER -# Set a secure password (you won't need it for SSH key auth, but it's good practice) +# Set a secure password (for emergency access only) echo "DEPLOY_USER:$(openssl rand -base64 32)" | sudo chpasswd # Copy your SSH key to the deployment user @@ -247,32 +247,25 @@ sudo cp ~/.ssh/authorized_keys /home/DEPLOY_USER/.ssh/ sudo chown -R DEPLOY_USER:DEPLOY_USER /home/DEPLOY_USER/.ssh sudo chmod 700 /home/DEPLOY_USER/.ssh sudo chmod 600 /home/DEPLOY_USER/.ssh/authorized_keys + +# Configure sudo to use SSH key authentication (most secure) +echo "DEPLOY_USER ALL=(ALL) NOPASSWD:ALL" | sudo tee /etc/sudoers.d/DEPLOY_USER +sudo chmod 440 /etc/sudoers.d/DEPLOY_USER ``` -##### 0.4.5 Disable Root SSH Access +**Security Note**: This configuration allows the DEPLOY_USER to use sudo without a password, which is more secure for CI/CD automation since there are no passwords to store or expose. The random password is set for emergency console access only. -On both Linodes, disable root SSH access for security: +##### 0.4.5 Test Sudo Access + +Test that the deployment user can use sudo without password prompts: ```bash -# Edit SSH configuration -sudo nano /etc/ssh/sshd_config +# Test sudo access +ssh DEPLOY_USER@YOUR_CI_CD_IP 'sudo whoami' +ssh DEPLOY_USER@YOUR_PRODUCTION_IP 'sudo whoami' ``` -Find and modify these lines: -``` -PasswordAuthentication no -PermitRootLogin no -PubkeyAuthentication yes -``` - -**Note**: We disable root SSH access entirely and use the deployment user for all SSH operations. - -Restart SSH service: -```bash -sudo systemctl restart ssh -``` - -**Important**: Test SSH access with the deployment user before closing your current session to ensure you don't get locked out. +**Expected output**: Both commands should return `root` without prompting for a password. ##### 0.4.6 Test Deployment User Access