Generating SSH keys for 'apache' user

You may have to copy the root generated keys in the .ssh directory of your apache user.

Assuming the homedir of apache is /var/www (check /etc/passwd) and the named key is id_rsa-git :

mkdir -p /var/www/.ssh/
cp /root/.ssh/id_rsa-git /var/www/.ssh/id_rsa

No need to copy the public key.

Note : by default the key used are id_rsa or id_dsa. You may change the name of the copied key to match this.

You may also change ownership of the id_rsa key and .ssh directory:

chown -R apache:apache /var/www/.ssh
chmod 0700 /var/www/.ssh
chmod 0600 /var/www/.ssh/id_rsa

Just posting the comment of @KitCarrau, under yvan's answer, that worked for me

sudo -u apache ssh-keygen -t rsa

for debian

sudo -u www-data ssh-keygen -t rsa

after this click Enter twice, to skip passphrase

also, it suggests to create the public/private keys in /var/www/.ssh directory, even if I had my www direcotry in /home/my_user/www, that is fine.

The existing answers are either incomplete or insecure. If you put your .ssh directory into the home directory of the apache user (/var/www) then this will also most likely serve the contents of that directory and thus expose your ssh private key to the public web. To prevent this you'd have to configure apache not to serve the .ssh directory but none of the existing answers explains how to do this.

I'd also argue that it is still dangerous to have your .ssh directory be a subdirectory of your publicly served www-root because even if you add a rule to your apache config, upgrading the server or doing unrelated other configurations might override this rule without you noticing.

So here is an answer that puts the key elsewhere, where it is not served by apache by default. There is not even the need to ever become the www-data user as others are struggling with.

First, find out the home directory of our apache user, for example by looking into /etc/passwd and looking for the www-data user or however the apache user of your distribution is called. The home directory is likely /var/www.

Then run (replacing /var/www with the home directory of the apache user on your setup):

$ mkdir "$HOME/www-data.ssh"
$ ssh-keygen -q -t rsa -f "$HOME/www-data.ssh/id_rsa" -N ""
$ chown -R www-data:www-data "$HOME/www-data.ssh"
$ mkdir /var/www/.ssh
$ cat << END > /var/www/.ssh/config
> Host *
>     IdentityFile $HOME/www-data.ssh/id_rsa
> END
$ chown -R www-data:www-data /var/www/.ssh

Now your www-data user will use the ssh key in $HOME/www-data.ssh/id_rsa for all its ssh connections and since your $HOME is probably different from /var/www, that directory will not be served. So even without adding any custom rules to apache, users will be able to see your .ssh/config but they will not be able to access the private key it points to. Nevertheless, your www-data user will know how to do it.

To add to @Vincent, if you have SELinux enabled, you'll have to set the context for the new .ssh folder.

On RHEL, add the following to this file: /etc/selinux/targeted/contexts/files/file_contexts.homedirs

/var/www/[^/]*/.+       system_u:object_r:user_home_t:s0
/var/www/[^/]*/\.ssh(/.*)?      system_u:object_r:ssh_home_t:s0

And then run the command

# restorcon -Rv /var/www/

I ran into a similar issue and there is one extra snag. In order to ssh using the apache user you also need to edit the /etc/passwd file so that the directive for apache has a shell defined.

In my case I needed to change

apache:x:48:48:Apache:/var/www:/sbin/nologin

to

apache:x:48:48:Apache:/var/www:/bin/bash

I don't know if this will work on redhat (I assume that is what you're running) however, I was able to su to www-data (the apache user for debian) by executing the following:

sudo su www-data

it actually worked shrugs go figure