php-general Digest 24 Jun 2010 08:21:40 -0000 Issue 6813
Topics (messages 306382 through 306392):
Re: Problem with ssh2_connect
306382 by: Brandon Rampersad
306387 by: Radek Krejèa
306392 by: Radek Krejèa
Re: In what scenario an extension of a class is useful?
306383 by: Daevid Vincent
Re: How to store encrypted data and how to store the key?
306384 by: Michael Shadle
306385 by: Peter Lind
306386 by: Michael Shadle
IIS, PHP and HTML
306388 by: Phillip Baker
306389 by: Ashley Sheridan
306390 by: Tommy Pham
306391 by: Ashley Sheridan
Administrivia:
To subscribe to the digest, e-mail:
[email protected]
To unsubscribe from the digest, e-mail:
[email protected]
To post to the list, e-mail:
[email protected]
----------------------------------------------------------------------
--- Begin Message ---
Do you have lexneter installed. I think that could be the problem.
2010/6/23 Radek Krejča <[email protected]>
> >
> > Make sure that....
> >
> > .... the key file exists by that name in the location you're
> > specifying (hint: use a full path).
> Its in ssh2_auth_public..., yes, I am using full path there.
> > .... it is the right key for that server.
> Yes, I use it with ssh command from line on the same computer.
> > .... the permissions on the file are very strict (chmod 0400
> ssh-rsa).
> My private key has 0400
>
> >
> >
> > I got error message immediately after $connection = ssh2_connect('
> test.starnet.cz', 22, array('hostkey'=>'ssh-rsa'), $methods);, so
> $connection is invalid resource for other function.
>
> I have rsa keys, but if I use ssh-dss (hostkey), Its without warning - but
> I cant connect with keys.
>
> Radek
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
A Brandon_R Production
--- End Message ---
--- Begin Message ---
Do you have lexneter installed. I think that could be the problem.
2010/6/23 Radek Krejča <[email protected]>
>
> Make sure that....
What is lexneter please?
Radek
--- End Message ---
--- Begin Message ---
Hi, new symptoms...
So, I have following:
1. created rsa keys - tested over ssh command - on remote server is public key
renamed to authorized_keys, on local machine i have both keys
2. rights on local machine:
-r-------- 1 radek wheel 1675 23 led 2007 radek
-r-------- 1 radek wheel 229 24 crv 10:05 radek.pub
3. rights on remote machine
-r-------- 1 radek wheel 402 Jun 26 2006 authorized_keys
4. script
----------------------------------------------------------------------------
<?php
$methods = array(
'kex' => 'diffie-hellman-group1-sha1',
'hostkey' => 'ssh-dss',
'client_to_server' => array(
'crypt' => '3des-cbc',
'mac' => 'hmac-md5',
'comp' => 'none'),
'server_to_client' => array(
'crypt' => '3des-cbc',
'mac' => 'hmac-md5',
'comp' => 'none'));
$connection = ssh2_connect('test.starnet.cz', 22, $methods);
if (ssh2_auth_pubkey_file($connection, 'radek',
'/home/radek/.ssh/radek.pub',
'/home/radek/.ssh/radek')) {
echo "Public Key Authentication Successful\n";
} else {
die('Public Key Authentication Failed');
}
?>
----------------------------------------------------------------------------
5. result of script
php pokus.php
Assertion failed: (session->userauth_pblc_method_len ==
_libssh2_ntohu32(pubkeydata)), function userauth_publickey, file userauth.c,
line 982.
Abort trap: 6 (core dumped [obraz pameti ulozen])
6. if i use method ssh-rsa, i got message written in latest e-mail
7. both computers are FreeBSD, php from fresh ports
8. connection to Mikrotik over password (I cant use it there) withou problem
(with this methods of course):
$methods = array(
'kex' => 'diffie-hellman-group1-sha1',
'client_to_server' => array(
'crypt' => '3des-cbc',
'comp' => 'none'),
'server_to_client' => array(
'crypt' => 'aes256-cbc,aes192-cbc,aes128-cbc',
'comp' => 'none'));
What I have wrong?
Thank you
Radek
--- End Message ---
--- Begin Message ---
Priceless. Could also be extended applied to babies too. ;-p
object babies extends mammal (
function eat (milk $food)
)
ROFL.
> -----Original Message-----
> From: Rene Veerman [mailto:[email protected]]
> Sent: Tuesday, June 22, 2010 11:58 PM
>
> object mammal (
> function eat (mixed $food)
> function shit ()
> function sleep()
> )
--- End Message ---
--- Begin Message ---
I talked with a friend who actually had this implemented before and
banks had signed off on it after reviewing it.
load balancer (irrelevant to the security piece)
web server(s) - only accepts traffic to port 80/443. can only forward
requests on to the app server, one direction.
app server(s) - processes the PHP/etc. has access to the
encryption/decryption keys. can only send established packets back to
the webserver, and traffic to the db. cannot connect outbound to the
net.
db server(s) - stores the data. choose how you want to encrypt. they
did not encrypt data at rest in their setup, the bank would have
'preferred' it but was not willing to buy the license for the
encryption plugin. however, the app tier could handle the
encryption/decryption.
all machines were only accessable via VPN, not the WAN.
due to that, assuming physical access is not an issue:
if the webserver got exploited, it could only talk to the app server
using http. it has no access to the encryption key, nor the database.
only one direction of communication. if the app server somehow got
exploited (someone somehow got a trojan installed) it can't
communicate outbound, so unless they figured some creative way to make
the app server expose information through the open port only for the
webserver, it's useless. and to install the trojan, typically people
fetch remote files - well, the app tier can't communicate outbound.
it's pretty damn secure for a web app. you could theoretically pair
the app server and db server on the same box - you could probably make
that work too. depends on how large you need to scale and the
architecture required.
anyway... anyone have any comments or holes to poke in this theory?
On Wed, Jun 23, 2010 at 12:55 AM, Tommy Pham <[email protected]> wrote:
>> -----Original Message-----
>> From: Peter Lind [mailto:[email protected]]
>> Sent: Wednesday, June 23, 2010 12:22 AM
>> To: Michael Shadle
>> Cc: PHP-General
>> Subject: Re: [PHP] How to store encrypted data and how to store the key?
>>
>> On 23 June 2010 09:11, Michael Shadle <[email protected]> wrote:
>> > This is somewhat related to the whole PCI/credit card discussion a
>> > couple weeks back. The consensus was basically "leave it to other
>> > people" - however, what if YOU are the other person?
>> >
>> > I wonder if anyone has some BKMs to share about encrypting data in a
>> > web application. A lot of people take the most obvious approach, but
>> > it's fundamentally flawed, that is:
>> >
>> > I take data from the user, I encrypt it (using PHP crypto, or MySQL
>> > crypto, etc.) and a key stored in my config file, and put it into the
>> > database. Then when I want to get it back, I just use decrypt + the
>> > key in my config file. The issue there? If you server is compromised
>> > and the database is accessable, they'll have the key to decrypt the
>> > data right off the server. They can pull down copies of everything or
>> > even write their own script ON the server itself to extract the data.
>> >
>> > This has been one thing that I have not really been able to figure out
>> > yet. You could separate the servers, and figure out some very hard way
>> > for them to communicate, but when it comes down to it, the webserver
>> > needs to access the data. For example, the webserver could be behind a
>> > fully firewalled setup that only allows MySQL traffic. However, the
>> > webserver has to access the data still.
>> >
>> > I assume the only solution is somehow storing the key in a third
>> > place, so the accessor has to get the key somehow before accessing the
>> > encrypted data. But again - how to automatically allow access for only
>> > the webapp? I thought of per-user keys, but that isn't an appropriate
>> > solution for something that needs to be encrypted using the same key.
>> >
>> > Has anyone had to implement anything like this? Is there a good
>> > whitepaper on something like this? Especially relating to HIPAA
>> > requirements. PCI would be nice too, but I'm sure once this major
>> > "unknown" in my mind is addressed, the general concepts are common,
>> > probably just differences in levels of firewalling, cryptography
>> > strength, physical access to the machines, etc.
>> >
>> > Please keep this on topic - this is about the people who DO have to
>> > address this issue, not something about "just offload it to other
>> > guys" - that's an obvious choice already, and not one that is allowed
>> > depending on the job.
>> >
>>
>> I haven't had to implement a scheme like this but for an app I'm working on
>> we've been considering the same issues in order to keep member data safe.
>> I would say your best bet is to keep the decryption key in memory while the
>
> This is something I'm very interested in hearing more about since our other
> discussion about PHP & threads and how some list members prefer the 'share
> nothing' approach. That said, how would you access the memory for every
> individual sessions that need that decrypting code/key when nothing is
> shared? (I'm assuming that this would be purely in PHP :)
>
> Regards,
> Tommy
>
>> app is running. Initialize it by hand whenever the server is started - don't
>> store it on the disk. Yes, your server won't be able to start up the app on
>> it's
>> own but that's the security in the design, not a flaw. If you want automatic
>> access for the web-app you've compromised security (anyone compromising
>> the server has automatic access as well).
>> You're essentially looking at the old problem: if it runs it can be broken.
>> You
>> can only try to make it as hard as possible but there's nothing foolproof.
>>
>> Regards
>> Peter
>>
>> --
>> <hype>
>> WWW: http://plphp.dk / http://plind.dk
>> LinkedIn: http://www.linkedin.com/in/plind
>> BeWelcome/Couchsurfing: Fake51
>> Twitter: http://twitter.com/kafe15
>> </hype>
>>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--- End Message ---
--- Begin Message ---
On 23 June 2010 20:55, Michael Shadle <[email protected]> wrote:
> I talked with a friend who actually had this implemented before and
> banks had signed off on it after reviewing it.
>
> load balancer (irrelevant to the security piece)
>
> web server(s) - only accepts traffic to port 80/443. can only forward
> requests on to the app server, one direction.
>
> app server(s) - processes the PHP/etc. has access to the
> encryption/decryption keys. can only send established packets back to
> the webserver, and traffic to the db. cannot connect outbound to the
> net.
>
> db server(s) - stores the data. choose how you want to encrypt. they
> did not encrypt data at rest in their setup, the bank would have
> 'preferred' it but was not willing to buy the license for the
> encryption plugin. however, the app tier could handle the
> encryption/decryption.
>
> all machines were only accessable via VPN, not the WAN.
>
> due to that, assuming physical access is not an issue:
>
> if the webserver got exploited, it could only talk to the app server
> using http. it has no access to the encryption key, nor the database.
> only one direction of communication. if the app server somehow got
> exploited (someone somehow got a trojan installed) it can't
> communicate outbound, so unless they figured some creative way to make
> the app server expose information through the open port only for the
> webserver, it's useless. and to install the trojan, typically people
> fetch remote files - well, the app tier can't communicate outbound.
>
> it's pretty damn secure for a web app. you could theoretically pair
> the app server and db server on the same box - you could probably make
> that work too. depends on how large you need to scale and the
> architecture required.
>
> anyway... anyone have any comments or holes to poke in this theory?
>
I'm just wondering if this is a correct understanding:
1. plaintext data arrives on the web frontend.
2. It's sent to the app server
3. It's encrypted and sent to the DB server
Where does the data go after step 3? Does encrypted data go back out
to the app server? In which case, what's to stop me from exploiting
the web-server and then sending *bad data/commands* to the app server?
But maybe I'm taking this too far: are you only looking at security in
terms of storage? I.e. is this merely a question of avoiding dumps of
the data?
Regards
Peter
--
<hype>
WWW: http://plphp.dk / http://plind.dk
LinkedIn: http://www.linkedin.com/in/plind
BeWelcome/Couchsurfing: Fake51
Twitter: http://twitter.com/kafe15
</hype>
--- End Message ---
--- Begin Message ---
On Wed, Jun 23, 2010 at 12:43 PM, Peter Lind <[email protected]> wrote:
> I'm just wondering if this is a correct understanding:
> 1. plaintext data arrives on the web frontend.
or over SSL
> 2. It's sent to the app server
SSL or non-SSL - your choice
> 3. It's encrypted and sent to the DB server
encrypted or not encrypted - your choice
> Where does the data go after step 3? Does encrypted data go back out
> to the app server? In which case, what's to stop me from exploiting
> the web-server and then sending *bad data/commands* to the app server?
>
> But maybe I'm taking this too far: are you only looking at security in
> terms of storage? I.e. is this merely a question of avoiding dumps of
> the data?
It is mainly about how to stop an exploited machine (even shell
access) from accessing the data by simply looking at a PHP config
file.
This solves that by reducing the risk with the only WAN-accessable
touchpoint (web servers, or well, technically the load balancer even)
which is only accessable via HTTP or HTTPS. Feeding bad commands is
always a risk, no matter what - but you could figure out how to setup
an IDS system or something to only accept POST/GET without exploitable
characters or anything. Suhosin type things come to mind.
But again - the only way to get data would be if you craft something
and use SQL injection or something to get the data out. You couldn't
exploit code to download a trojan or something because the application
server cannot talk to the Internet. I think it is a compartmentalized
setup that would solve my original question...
--- End Message ---
--- Begin Message ---
Greetings All,
I am at a new Gig.
So this is the existing setup so changing it at least in the short term is
not an option.
We are in an IIS shop.
We have a bunch of files that are html, and in need of php functionality.
And that would be a BUNCH of files.
I am interested in setting if I can set up IIS to use the php interpreter on
HTML files.
And then just start using the html files as php.
There are just so many html files I would prefer to not do 301 redirects,
not header redirects and blot the server with empty files (nearly empty).
My preference is to use the existing files.
Is there a way to make this happen?
Are there any pitfalls in making this happen that I will need to be aware
of?
Blessed Be
Phillip
--- End Message ---
--- Begin Message ---
On Wed, 2010-06-23 at 16:26 -0600, Phillip Baker wrote:
> Greetings All,
>
> I am at a new Gig.
> So this is the existing setup so changing it at least in the short term is
> not an option.
>
> We are in an IIS shop.
> We have a bunch of files that are html, and in need of php functionality.
> And that would be a BUNCH of files.
>
> I am interested in setting if I can set up IIS to use the php interpreter on
> HTML files.
> And then just start using the html files as php.
>
> There are just so many html files I would prefer to not do 301 redirects,
> not header redirects and blot the server with empty files (nearly empty).
> My preference is to use the existing files.
>
> Is there a way to make this happen?
> Are there any pitfalls in making this happen that I will need to be aware
> of?
>
> Blessed Be
>
> Phillip
Yes, you just configure IIS to treat the .html extension the same as it
does .php.
Several things to note though. You can't control this on a site-by-site
basis as far as I remember, so if you set this, it's for the whole
server. Any plain html pages will be delivered more slowly.
Second, PHP code isn't inserted into HTML, rather it's the other way
around. This distinction is important when you are outputting content
other than HTML from PHP code, or when you are using the header()
function.
Although IIS wouldn't be my server of choice, I think the one thing you
may find lacking is Apaches .htaccess files. IIS can emulate most of the
behaviour of this with plugins though, but I believe they tend to cost.
Thanks,
Ash
http://www.ashleysheridan.co.uk
--- End Message ---
--- Begin Message ---
> -----Original Message-----
> From: Ashley Sheridan [mailto:[email protected]]
> Sent: Wednesday, June 23, 2010 4:47 PM
> To: Phillip Baker
> Cc: PHP General List
> Subject: Re: [PHP] IIS, PHP and HTML
>
> On Wed, 2010-06-23 at 16:26 -0600, Phillip Baker wrote:
>
> > Greetings All,
> >
> > I am at a new Gig.
> > So this is the existing setup so changing it at least in the short
> > term is not an option.
> >
> > We are in an IIS shop.
> > We have a bunch of files that are html, and in need of php
functionality.
> > And that would be a BUNCH of files.
> >
> > I am interested in setting if I can set up IIS to use the php
> > interpreter on HTML files.
> > And then just start using the html files as php.
> >
> > There are just so many html files I would prefer to not do 301
> > redirects, not header redirects and blot the server with empty files
(nearly
> empty).
> > My preference is to use the existing files.
> >
> > Is there a way to make this happen?
> > Are there any pitfalls in making this happen that I will need to be
> > aware of?
> >
> > Blessed Be
> >
> > Phillip
>
>
> Yes, you just configure IIS to treat the .html extension the same as it
> does .php.
>
> Several things to note though. You can't control this on a site-by-site
basis as
> far as I remember, so if you set this, it's for the whole server. Any
plain html
> pages will be delivered more slowly.
>
Correction, IIS7.5 (Win08r2) and IIS7 (Win08) can set it at per
path/site/server depending on your needs. Set it via 'handler mappings'
accordingly. I don't remember IIS 6 and older since it's been a couple of
years I've dealt with IIS 6.
Regards,
Tommy
> Second, PHP code isn't inserted into HTML, rather it's the other way
around.
> This distinction is important when you are outputting content other than
> HTML from PHP code, or when you are using the header() function.
>
> Although IIS wouldn't be my server of choice, I think the one thing you
may
> find lacking is Apaches .htaccess files. IIS can emulate most of the
behaviour
> of this with plugins though, but I believe they tend to cost.
>
> Thanks,
> Ash
> http://www.ashleysheridan.co.uk
>
--- End Message ---
--- Begin Message ---
On Wed, 2010-06-23 at 17:34 -0700, Tommy Pham wrote:
> > -----Original Message-----
> > From: Ashley Sheridan [mailto:[email protected]]
> > Sent: Wednesday, June 23, 2010 4:47 PM
> > To: Phillip Baker
> > Cc: PHP General List
> > Subject: Re: [PHP] IIS, PHP and HTML
> >
> > On Wed, 2010-06-23 at 16:26 -0600, Phillip Baker wrote:
> >
> > > Greetings All,
> > >
> > > I am at a new Gig.
> > > So this is the existing setup so changing it at least in the short
> > > term is not an option.
> > >
> > > We are in an IIS shop.
> > > We have a bunch of files that are html, and in need of php
> functionality.
> > > And that would be a BUNCH of files.
> > >
> > > I am interested in setting if I can set up IIS to use the php
> > > interpreter on HTML files.
> > > And then just start using the html files as php.
> > >
> > > There are just so many html files I would prefer to not do 301
> > > redirects, not header redirects and blot the server with empty files
> (nearly
> > empty).
> > > My preference is to use the existing files.
> > >
> > > Is there a way to make this happen?
> > > Are there any pitfalls in making this happen that I will need to be
> > > aware of?
> > >
> > > Blessed Be
> > >
> > > Phillip
> >
> >
> > Yes, you just configure IIS to treat the .html extension the same as it
> > does .php.
> >
> > Several things to note though. You can't control this on a site-by-site
> basis as
> > far as I remember, so if you set this, it's for the whole server. Any
> plain html
> > pages will be delivered more slowly.
> >
>
> Correction, IIS7.5 (Win08r2) and IIS7 (Win08) can set it at per
> path/site/server depending on your needs. Set it via 'handler mappings'
> accordingly. I don't remember IIS 6 and older since it's been a couple of
> years I've dealt with IIS 6.
>
> Regards,
> Tommy
>
> > Second, PHP code isn't inserted into HTML, rather it's the other way
> around.
> > This distinction is important when you are outputting content other than
> > HTML from PHP code, or when you are using the header() function.
> >
> > Although IIS wouldn't be my server of choice, I think the one thing you
> may
> > find lacking is Apaches .htaccess files. IIS can emulate most of the
> behaviour
> > of this with plugins though, but I believe they tend to cost.
> >
> > Thanks,
> > Ash
> > http://www.ashleysheridan.co.uk
> >
>
>
>
Ah, that's good for Phillip then. I've not used IIS for over a year now,
and the version I used was very old (cheap company didn't see the need
to update anything, ever!)
Thanks,
Ash
http://www.ashleysheridan.co.uk
--- End Message ---
