On 02/11/06, Will McDonald wmcdonald@gmail.com wrote:
On 02/11/06, Marc wia@iglass.net wrote:
hey Will,
Hi Marc, thanks for responding.
We don't use keychain, but we do use Net::SSH::Perl through apache on CentOS and RHEL.
The reason I'm using Keychain is to provide passwordless authentication whilst still having passworded private keys, if you can see where I'm coming from.
Couple questions. Can you become the apache user and manually ssh into cgissh@target with/without a password? If so can you manually run your script outside of apache? No group or other write permission set on any of the directories above your keys? Anything in syslog on the ssh server side concerning why permission was denied?
Update: I've just tried removing the passphrase from the private key and now Net::SSH::Perl is happily reading it and using it to authenticate so now I suppose the questions is can I use it with a passworded private key...
[apache@webdev1 .ssh]$ ssh-keygen -f id_dsa -p Enter old passphrase: Key has comment 'id_dsa' Enter new passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved with the new passphrase.
Compare passwordless log excerpt:
[Thu Nov 02 14:48:54 2006] [error] [client 192.168.24.111] webdev1: Trying empty user-authentication request. [Thu Nov 02 14:48:54 2006] [error] [client 192.168.24.111] webdev1: Authentication methods that can continue: publickey,keyboard-in teractive. [Thu Nov 02 14:48:54 2006] [error] [client 192.168.24.111] webdev1: Next method to try is publickey. [Thu Nov 02 14:48:54 2006] [error] [client 192.168.24.111] webdev1: Trying pubkey authentication with key file '/var/www/.ssh/id_ds a' [Thu Nov 02 14:49:00 2006] [error] [client 192.168.24.111] webdev1: Login completed, opening dummy shell channel. [Thu Nov 02 14:49:00 2006] [error] [client 192.168.24.111] webdev1: channel 0: new [client-session]
With passworded:
[Wed Nov 01 17:12:18 2006] [error] [client 192.168.24.111] webdev1: Authentication methods that can continue: publickey,keyboard-in teractive. [Wed Nov 01 17:12:18 2006] [error] [client 192.168.24.111] webdev1: Next method to try is publickey. [Wed Nov 01 17:12:18 2006] [error] [client 192.168.24.111] webdev1: Trying pubkey authentication with key file '/var/www/.ssh/id_ds a' [Wed Nov 01 17:12:18 2006] [error] [client 192.168.24.111] webdev1: Will not query passphrase for '/var/www/.ssh/id_dsa' in batch m ode. [Wed Nov 01 17:12:18 2006] [error] [client 192.168.24.111] webdev1: Loading private key failed. [Wed Nov 01 17:12:18 2006] [error] [client 192.168.24.111] Permission denied at ~/cgi-bin/perl-net-ssh-p erl-test.pl line 18
I wonder, if I _force_ it out of batch mode, but with a passworded key... nope, that's obviously being interpreted as "should be run in interactive mode" and is erroring. So I guess the question is, how to I get Net::SSH::Perl to source keys from a running ssh-agent as I don't want to have passwordless private keys involved if I can avoid it.
Will.