[pdkl95]

> For some of them, the www-data's home directory is the DocumentRoot

“Well, there’s your problem.”

Don't expose any ${HOME} to the world! SSH keys are not the only exploitable file in a typical homedir (or even auto-generated from /etc/skel/)! A few files that come to mind:

    # other keys
    ~/.gnupg/

    # probably lots of app-specific risks
    # (e.g. saved login info)
    ~/.cache/
    ~/.config/
    ~/.local/share/

    # if it's also a desktop system running X
    ~/.Xauthority
    ~/.mozilla/

Yes, protecting ~/.id* with a passphrase is important and leaking ~/.ssh/known_hosts can have consequences, but this type of exploit shouldn't even be possible. Don't share your homedir - which contains most user-level config files on UNIX systems - with the world. DocumentRoot needs to be contained in a subdir. (edit: or even better, contained somewhere outside of /home where it won't overlap with common file paths)

[jmole]

why would www-data need a private key though?

[sowbug]

It doesn't, but if someone is shelling around on the server, they might throw a key in there for convenience, maybe in order to scp something from another machine, and then forget to remove it when they're done.

One can debate whether the root cause is forgetfulness, or rather that people shouldn't be sshing into prod servers to begin with.

[im3w1l]

Ever putting private data in a public place, is an unacceptable risk. Even if you remember to remove it there is a window of vulnerability. And there are people out there constantly probing for weaknesses.