On 02/11/06, Marc wia@iglass.net wrote:
hey Will,
Hi Marc, thanks for responding.
We don't use keychain, but we do use Net::SSH::Perl through apache on CentOS and RHEL.
The reason I'm using Keychain is to provide passwordless authentication whilst still having passworded private keys, if you can see where I'm coming from.
Couple questions. Can you become the apache user and manually ssh into cgissh@target with/without a password? If so can you manually run your script outside of apache? No group or other write permission set on any of the directories above your keys? Anything in syslog on the ssh server side concerning why permission was denied?
Yep, SSH from client to target as the intended users is OK, as allowing CGIs to connect to other systems and run command isn't an ideal situation security-wise I've been very strict with permissions and ownerships, but it does work and I've loosened them just on the off chance it was a permissions thing.
Here's a snippet of me su - ing and connecting to the target system...
[root@webdev1 ~]# su - apache
KeyChain 2.5.1; http://www.gentoo.org/proj/en/keychain/ Copyright 2002-2004 Gentoo Foundation; Distributed under the GPL
* Found existing ssh-agent (4189) * ssh-agent: All identities removed. * Adding 1 ssh key(s)... Enter passphrase for /var/www/.ssh/id_dsa: Identity added: /var/www/.ssh/id_dsa (/var/www/.ssh/id_dsa)
[apache@webdev1 ~]$ ssh -p2251 -lcgissh manlvs1 hostname manlvs1b
Running the CGI script from the command line behaves the same, i.e. it connects, executes 'hostname' and returns the correct response.
I will say that once you get it working, make sure you have the following perl modules installed. It will drastically increase the speed of your handshaking. At least it did for us.
Crypt-DH 0.03 (Yes, older version) IO Math-BigInt-GMP
I had noticed a _considerable_ speed overhead using Net::SSH::Perl but I'd put that aside as something to address once I've got it working as expected, I'll have a look at those modules, thanks.