Re: [PHP] FTP and security
On Wednesday 27 November 2002 03:25, Richard Fox wrote:
> > > To relate this to php, I am ready to give up
> > > trying to make my
> > >
> > > system("scp ..");
> > >
> > > code work, because I will have to give the apache user more permissions
> > > than I am comfortable with.
> >
> > What exactly are the problems you're encountering using scp?
>
> I created an apache user, which I called apache, and made sure this user
> could connect to the remote servers and created rsa keys so no passwords
> would be necessary (so my system($cmd) call would work). This is what
> happens when I run scp:
[snip]
> There is more output, but as you can see the read of the src files failed
> and an empty ibuf is sent. This command line call works if I am a normal
> user for whom I have set up known_hosts and authorized_keys. But the above
> is the result when I run scp as user 'apache'.
Here's what I've used before and it works for me:
In the HOME directory of the apache user I have the usual .ssh/known_hosts
file.
Then in php, simply:
shell_exec("/usr/bin/scp -i id_dsa_key file_to_send [EMAIL PROTECTED]:/tmp/");
--
Jason Wong -> Gremlins Associates -> www.gremlins.biz
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *
/*
Finding out what goes on in the C.I.A. is like performing acupuncture
on a rock.
-- New York Times, Jan. 20, 1981
*/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] FTP and security
Well, as far as I know you need to have sshd (or an equivalent) running
on the receiving end. Then, on your server you call up a command like
so:
ssh -f -2 -N -L {source-port}:{end-address}:{end-port}
{sshd-server-address} -l {login}
This command causes ssh to create a secure tunnel that goes from
source-port on your server to end-address:end-port through the ssh
server {sshd-server-address}. Clearly, {sshd-server-address} and
{end-address} can be the same computer, but not necessarily--as long as
there is a direct route between the two and you can consider that route
secure.
Once you've established the connection, you can connect to your local
box on the {source-port}, and your data will be transparently (and
securely) redirected to the new box.
For example:
ssh -N -2 -f -L 3307:my.mysql.box:3306 my.mysql.box -l mysql_user
creates a secure tunnel for connecting to a remote MySQL server
securely. After you've established the connection, you can use
127.0.0.1:3307 on your local box to connect to MySQL and your data will
be transported securly to the other computer.
Hope this helps... a more complete (and probably more accurate)
explanation would take a long time, but if you look around on the Net
you should find plenty of resources.
Cheers,
Marco
--
php|architect - The magazine for PHP Professionals
The first monthly worldwide magazine dedicated to PHP programmers
Come visit us at http://www.phparch.com!
--- Begin Message ---
Marco,
Would you have any examples for using an SSH tunnel? I'm using fsockopen
to get data from proprietary server software (just returns data to me in
different formats) and I would like to have it secure. I'm just not sure
how I could incorporate that.
Thanks,
Bryan
On 26 Nov 2002, Marco Tabini wrote:
|Rich,
|
|Why don't you create an ssh tunnel between your two boxes and then
|perform you ftp connection through there? This way, the connection would
|be secure and you could impersonate whichever user you need to.
|
|There is also a secure version of ftp, but I don't think that it can be
|instantiated directly from PHP, and you would therefore have to run it
|from a shell, which would give the same problems you have with ssh now.
|
|
|Marco
|
|
--- End Message ---
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] FTP and security
Marco, Would you have any examples for using an SSH tunnel? I'm using fsockopen to get data from proprietary server software (just returns data to me in different formats) and I would like to have it secure. I'm just not sure how I could incorporate that. Thanks, Bryan On 26 Nov 2002, Marco Tabini wrote: |Rich, | |Why don't you create an ssh tunnel between your two boxes and then |perform you ftp connection through there? This way, the connection would |be secure and you could impersonate whichever user you need to. | |There is also a secure version of ftp, but I don't think that it can be |instantiated directly from PHP, and you would therefore have to run it |from a shell, which would give the same problems you have with ssh now. | | |Marco | | -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] FTP and security
> > To relate this to php, I am ready to give up
> > trying to make my
> >
> > system("scp ..");
> >
> > code work, because I will have to give the apache user more permissions
> > than I am comfortable with.
>
> What exactly are the problems you're encountering using scp?
>
I created an apache user, which I called apache, and made sure this user
could connect to the remote servers and created rsa keys so no passwords
would be necessary (so my system($cmd) call would work). This is what
happens when I run scp:
bash-2.05a$ scp -pvr -S ssh apache@thor:/home/web/testsite/cgi-bin
apache@loki:/home/web/testsite
Executing: ssh -v -x -o'FallBackToRsh no' -o'ClearAllForwardings yes' -n -l
apache thor scp -v -r -p /home/web/testsite/cgi-bin
'apache@loki:/home/web/testsite'
OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be
trusted.
debug1: restore_uid
debug1: ssh_connect: getuid 48 geteuid 0 anon 1
debug1: Connecting to thor [127.0.0.1] port 22.
debug1: temporarily_use_uid: 48/48 (e=0)
debug1: restore_uid
debug1: temporarily_use_uid: 48/48 (e=0)
debug1: restore_uid
debug1: Connection established.
debug1: read PEM private key done: type DSA
debug1: read PEM private key done: type RSA
debug1: identity file /home/apache/.ssh/identity type -1
debug1: identity file /home/apache/.ssh/id_rsa type 1
debug1: identity file /home/apache/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.1p1
debug1: match: OpenSSH_3.1p1 pat OpenSSH*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.1p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 135/256
debug1: bits set: 1551/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'thor' is known and matches the RSA host key.
debug1: Found key in /home/apache/.ssh/known_hosts:1
debug1: bits set: 1576/3191
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue:
publickey,password,keyboard-interactive
debug1: next auth method to try is publickey
debug1: try privkey: /home/apache/.ssh/identity
debug1: try pubkey: /home/apache/.ssh/id_rsa
debug1: input_userauth_pk_ok: pkalg ssh-rsa blen 149 lastkey 0x8086d50 hint
1
debug1: read PEM private key done: type RSA
debug1: ssh-userauth2 successful: method publickey
debug1: fd 4 setting O_NONBLOCK
debug1: channel 0: new [client-session]
debug1: send channel open 0
debug1: Entering interactive session.
debug1: ssh_session2_setup: id 0
debug1: Sending command: scp -v -r -p /home/web/testsite/cgi-bin
apache@loki:/home/web/testsite
debug1: channel request 0: exec
debug1: channel 0: open confirm rwindow 0 rmax 32768
debug1: channel 0: read<=0 rfd 4 len 0
debug1: channel 0: read failed
debug1: channel 0: close_read
debug1: channel 0: input open -> drain
debug1: channel 0: ibuf empty
debug1: channel 0: send eof
debug1: channel 0: input drain -> closed
There is more output, but as you can see the read of the src files failed
and an empty ibuf is sent. This command line call works if I am a normal
user for whom I have set up known_hosts and authorized_keys. But the above
is the result when I run scp as user 'apache'.
> So, I am thinking fo using php's ftp commands
> > instead. I see nowhere in the documentation however, if the ftp_connect
can
> > be done via the ssh transport mechanism. Or, is this unnecessary, and
can I
> > use ftp (with plain text user and password passed to ftp_login()) on
port
> > 21 without worrying about getting hacked?
>
> Well, if you're going to be using ftp-over-ssh, I don't see why you're not
> using scp directly instead.
>
I thought that if I create an ssh tunnel for ftp, I could use the php ftp
functions, they would actually be using ssh transparently.
Rich
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] FTP and security
On Wednesday 27 November 2002 01:42, Richard Fox wrote:
> To relate this to php, I am ready to give up
> trying to make my
>
> system("scp ..");
>
> code work, because I will have to give the apache user more permissions
> than I am comfortable with.
What exactly are the problems you're encountering using scp?
So, I am thinking fo using php's ftp commands
> instead. I see nowhere in the documentation however, if the ftp_connect can
> be done via the ssh transport mechanism. Or, is this unnecessary, and can I
> use ftp (with plain text user and password passed to ftp_login()) on port
> 21 without worrying about getting hacked?
Well, if you're going to be using ftp-over-ssh, I don't see why you're not
using scp directly instead.
--
Jason Wong -> Gremlins Associates -> www.gremlins.biz
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *
/*
"Those who do not do politics will be done in by politics."
-- French Proverb
*/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] FTP and security
Rich,
Why don't you create an ssh tunnel between your two boxes and then
perform you ftp connection through there? This way, the connection would
be secure and you could impersonate whichever user you need to.
There is also a secure version of ftp, but I don't think that it can be
instantiated directly from PHP, and you would therefore have to run it
from a shell, which would give the same problems you have with ssh now.
Marco
--
php|architect - The magazine for PHP Professionals
The first monthly worldwide magazine dedicated to PHP programmers
Come visit us at http://www.phparch.com!
--- Begin Message ---
My company, as a matter of policy, closes the ftp ports of the servers in the DMZ.
However, I am not convinced that this is necessary, given the advent of very secure
ftp servers. I would appreciate any comments on the security of an open ftp port. To
relate this to php, I am ready to give up trying to make my
system("scp ..");
code work, because I will have to give the apache user more permissions than I am
comfortable with. So, I am thinking fo using php's ftp commands instead. I see nowhere
in the documentation however, if the ftp_connect can be done via the ssh transport
mechanism. Or, is this unnecessary, and can I use ftp (with plain text user and
password passed to ftp_login()) on port 21 without worrying about getting hacked?
muchas gracias
Rich
--- End Message ---
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] FTP and security
My company, as a matter of policy, closes the ftp ports of the servers in the DMZ.
However, I am not convinced that this is necessary, given the advent of very secure
ftp servers. I would appreciate any comments on the security of an open ftp port. To
relate this to php, I am ready to give up trying to make my
system("scp ..");
code work, because I will have to give the apache user more permissions than I am
comfortable with. So, I am thinking fo using php's ftp commands instead. I see nowhere
in the documentation however, if the ftp_connect can be done via the ssh transport
mechanism. Or, is this unnecessary, and can I use ftp (with plain text user and
password passed to ftp_login()) on port 21 without worrying about getting hacked?
muchas gracias
Rich
