Re: [PHP] Re: ssh within PHP
On Mon, Nov 10, 2003 at 11:05:02PM -0800, tirumal b wrote: : : Its enough if i have the apache privileges. Can i : login to apache user and to remote computer apache : user with public key authentication and run some : command there. Usually, the user that Apache runs under does not have a real shell. And ssh by default (and for good security reasons) is configured to disallow logins for users that do not have a real shell. If you need a web-based method to run a program as a specific user, consider suexec: http://httpd.apache.org/docs/suexec.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: SSH
> What does phpinfo() have to say about it? It says that the Local Value is "on" but the master value is "off". -Kyle -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: SSH
At 2:29 PM -0400 5/5/02, Kyle Gibson wrote: >In the php.ini file, safe mode is off. Which is why I am curious as to >why this is occuring. What does phpinfo() have to say about it? ...R. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: SSH
> Your ISP has safe mode turned on which means you cannot use backquotes. Read all > about it at http://www.php.net/manual/en/features.safe-mode.php. I am my own ISP, techically. In the php.ini file, safe mode is off. Which is why I am curious as to why this is occuring. --- ; ; Safe Mode ; safe_mode = Off --- -Kyle -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: SSH
On 5 May 2002 at 14:12, Kyle Gibson wrote: > Warning: Cannot execute using backquotes in safe mode in test.php on > line 2 Your ISP has safe mode turned on which means you cannot use backquotes. Read all about it at http://www.php.net/manual/en/features.safe-mode.php. -- Stuart -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] RE: SSH
Well, as described below, the key is read by a root-owned, sudo-gated shell script which executes a specific remote command. And of course the arguments, if any, are strictly sanitized by the shell script. So the worst someone could do is cause the premature execution of that remote command. Also, I rarely if ever work on servers shared with untrusted users, which changes the security situation somewhat. People in that situation are going to have it much harder. But if PHP's in safe mode, they can use a similar scheme but provide access to their individual user ID rather than 'nobody'. miguel On Sun, 5 May 2002, Insomniac Admin wrote: > Wouldn't that be like very insecure? I wouldn't need to root the server > in order to use that connection! > > Example Scenario: > > I generate a key pair from server local to server remote, and place the > auth key in a 0400 moded file owned by root, but accessable by "nobody" > (as this is the uid I will be sshing out as). Multiple people have > access to write php scripts on this server. > > Now *anyone* who is able to execute commands as "nobody" can (very very > easily) get from server local to server remote without the need for a > password to be entered. > > Fair enough that they would need to know the address of server remote, > and that they would never get the password - but they wouldn't need one > either. > > Just my PoV on security... You could always try investigating SSH > wrappers. > > - Dan > > -Original Message----- > From: Miguel Cruz [mailto:[EMAIL PROTECTED]] > Sent: 05 May 2002 07:44 > To: [EMAIL PROTECTED] > Subject: Re: [PHP] RE: SSH > > > On Sun, 5 May 2002, Insomniac Admin wrote: > > You could use "popen" to open a ssh process and wait to be asked for > > the password etc... Remember to check the RSA key pattern. > > My experience, at least with recent SSH versions, is that they try very > hard to verify stdin is an actual pty before accepting a password from > it. > This is specifically to stop people from storing passwords in cleartext. > > However, you can do wonderful things with key pairs. Read all about > ssh-keygen. > > We have servers that need to do things on other servers. We store the > private keys in 0400 files owned by root, create root-owned shell > scripts > to ssh into the remote servers and execute specific commands, and allow > the web server to run those with sudo. Not perfect, but reasonably > secure > as long as nobody r00ts the web server. > > miguel > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] RE: SSH
Wouldn't that be like very insecure? I wouldn't need to root the server in order to use that connection! Example Scenario: I generate a key pair from server local to server remote, and place the auth key in a 0400 moded file owned by root, but accessable by "nobody" (as this is the uid I will be sshing out as). Multiple people have access to write php scripts on this server. Now *anyone* who is able to execute commands as "nobody" can (very very easily) get from server local to server remote without the need for a password to be entered. Fair enough that they would need to know the address of server remote, and that they would never get the password - but they wouldn't need one either. Just my PoV on security... You could always try investigating SSH wrappers. - Dan -Original Message- From: Miguel Cruz [mailto:[EMAIL PROTECTED]] Sent: 05 May 2002 07:44 To: [EMAIL PROTECTED] Subject: Re: [PHP] RE: SSH On Sun, 5 May 2002, Insomniac Admin wrote: > You could use "popen" to open a ssh process and wait to be asked for > the password etc... Remember to check the RSA key pattern. My experience, at least with recent SSH versions, is that they try very hard to verify stdin is an actual pty before accepting a password from it. This is specifically to stop people from storing passwords in cleartext. However, you can do wonderful things with key pairs. Read all about ssh-keygen. We have servers that need to do things on other servers. We store the private keys in 0400 files owned by root, create root-owned shell scripts to ssh into the remote servers and execute specific commands, and allow the web server to run those with sudo. Not perfect, but reasonably secure as long as nobody r00ts the web server. miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] RE: SSH
On Sun, 5 May 2002, Insomniac Admin wrote: > You could use "popen" to open a ssh process and wait to be asked for the > password etc... Remember to check the RSA key pattern. My experience, at least with recent SSH versions, is that they try very hard to verify stdin is an actual pty before accepting a password from it. This is specifically to stop people from storing passwords in cleartext. However, you can do wonderful things with key pairs. Read all about ssh-keygen. We have servers that need to do things on other servers. We store the private keys in 0400 files owned by root, create root-owned shell scripts to ssh into the remote servers and execute specific commands, and allow the web server to run those with sudo. Not perfect, but reasonably secure as long as nobody r00ts the web server. miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php