SpipCP
Operations

Developer access keys

Hand a developer site-scoped SFTP access in two minutes — a per-site SFTP system user inside the instance, confined to the site root, reached via ProxyJump through the node, with a one-line revoke. Never a panel login.

The Access keys tab on the site workspace lets you give a developer SFTP access to one site without giving them a panel account, an instance shell, or access to any other site. You paste their SSH public key; the panel creates an SFTP-only user inside the instance, confined to that site's folder and reachable only through the node. Revoke is one click.

An access key is NOT a panel login

A developer access key is an SSH public key for a per-site SFTP user inside the instance. It grants no panel access at all — the developer role can't do anything in the panel. Operator credentials and developer credentials are kept separate on purpose, because the damage each could do is different.

How it's scoped

  • One SFTP user per site. The username is sitedev-<8 hex of the site id> (shown in the tab as the SFTP user). All of a site's keys live in that one user's authorized_keys.
  • Confined to the site folder. The user lands in the site root (/var/www/html or /srv/app), can read and write inside it, and can't reach anything above it. They get SFTP only, never a shell.
  • Public key only. The panel only ever stores the developer's public key. Pasting a private key is rejected, as is garbage or an unsupported key type. The audit row records only the fingerprint and username — never the key itself.
  • Reached through the node. SFTP connects by jumping through the node, which is the only door — the instance is never exposed directly.

Developer handoff in 2 minutes

This is the whole loop — create a key, send the connection line, revoke when the work is done.

  1. The developer sends you their public key. If they need one:
    ssh-keygen -t ed25519 -f ~/.ssh/sitedev      # → ~/.ssh/sitedev (private) + ~/.ssh/sitedev.pub
    cat ~/.ssh/sitedev.pub                        # this PUBLIC line is what they send you
  2. Create the key in the panel. Site workspace → Access keysAdd developer key: give it a Name (e.g. "Alice's laptop"), paste the SSH public key, then Add developer key. The first key sets up the SFTP user; later keys just get added to it.
  3. Copy the connection line from the Developer handoff card and send it to the developer. It's the exact sftp command, already filled in:
    sftp -o ProxyJump=<node-user>@<node-host> <sitedev>@<instance>
    It jumps through the node (-o ProxyJump=<node-user>@<node-host>), then connects as the confined SFTP user inside the instance (<sitedev>@<instance>). They use their private key:
    sftp -o ProxyJump=<node-user>@<node-host> -i ~/.ssh/sitedev <sitedev>@<instance>
    They can put/get files inside the site folder; a write outside it is permission denied.
  4. Revoke when done. On the key's row, click Revoke and confirm. That key stops working immediately. When you revoke the last active key for the site, the SFTP user is locked, so no one can reconnect. The key row stays in the list as revoked so you can see the history.

The snippet appears once the instance is reachable

The Developer handoff card shows the connection line as soon as the site's instance and node are reachable. If the instance is down, the keys still list — only the snippet is hidden until it comes back.

What revoke does

  • Revoke one key → that key stops working. Other active keys keep working.
  • Revoke the last key → the SFTP user is also locked, so every key is refused on the next connect. Adding a new key later unlocks it.

Permissions

Listing keys and seeing the connection snippet needs SITES_ACCESS_KEYS_VIEW (operator and admin, read-only). Creating and revoking keys needs SITES_ACCESS_KEYS_MANAGE (admin). Without MANAGE, the Add form and the Revoke action are hidden.

On this page