Wouldn't that be like very insecure? I wouldn't need to root the server
in order to use that connection!

Example Scenario:

I generate a key pair from server local to server remote, and place the
auth key in a 0400 moded file owned by root, but accessable by "nobody"
(as this is the uid I will be sshing out as). Multiple people have
access to write php scripts on this server.

Now *anyone* who is able to execute commands as "nobody" can (very very
easily) get from server local to server remote without the need for a
password to be entered.

Fair enough that they would need to know the address of server remote,
and that they would never get the password - but they wouldn't need one

Just my PoV on security... You could always try investigating SSH

- Dan

-----Original Message-----
From: Miguel Cruz [mailto:[EMAIL PROTECTED]] 
Sent: 05 May 2002 07:44
Subject: Re: [PHP] RE: SSH

On Sun, 5 May 2002, Insomniac Admin wrote:
> You could use "popen" to open a ssh process and wait to be asked for 
> the password etc... Remember to check the RSA key pattern.

My experience, at least with recent SSH versions, is that they try very 
hard to verify stdin is an actual pty before accepting a password from
This is specifically to stop people from storing passwords in cleartext.

However, you can do wonderful things with key pairs. Read all about 

We have servers that need to do things on other servers. We store the
private keys in 0400 files owned by root, create root-owned shell
to ssh into the remote servers and execute specific commands, and allow 
the web server to run those with sudo. Not perfect, but reasonably
as long as nobody r00ts the web server.


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to