SOLVED: Re: Using perl-Net-SSH-Perl with pubkey authentication under CGI. - Discuss

2 Nov 2006


      On 02/11/06, Will McDonald wmcdonald@gmail.com wrote:
...
Guys, I wonder if anyone can give me any pointers here, I hope it's
CentOS related enough not to be too off topic, if it is then
apologies.
Thanks to Marc and Ingimar for their suggestions, I think we've cracked it.
When Keychain runs it prompts the user for their private key password
then stores the ssh-agent information away in ~/.keychain/$hostname-sh
and ~/.keychain/$hostname-csh. For example...
[root@webdev1 ~]# cat ~apache/.keychain/`hostname`-sh
SSH_AUTH_SOCK=/tmp/ssh-yheGAI4188/agent.4188; export SSH_AUTH_SOCK;
SSH_AGENT_PID=4189; export SSH_AGENT_PID;
Ingimar suggested these environment variables might not be available
to the CGI environment and he was spot on. It appears Agent.pm from
Net::SSH::Perl looks for these in the environment and can find them
when scripts are run from the shell because they're there (duh me :)).
So, setup a password protected keypair and run Keychain from
.bash_profile as follows...
[root@webdev1 ~]# cat ~apache/.bash_profile
keychain --nogui id_dsa --clear
[[ -f $HOME/.keychain/$HOSTNAME-sh ]] && source $HOME/.keychain/$HOSTNAME-sh
[[ -f $HOME/.keychain/$HOSTNAME-sh-gpg ]] && source
$HOME/.keychain/$HOSTNAME-sh-gpg
The '--clear' will remove all Keychain information on login (though
not perfectly, it could be circumvented with a well-timed CTRL-C) but,
critically, leave it available for non-interactive sessions if you
login, enter private key passphrase then logout.
You'll initially need to "su - apache" once if the box reboots and you
need to enter the private key password if you need to 'su' to do
anything else as the user, otherwise the ssh-agent information is
available to scripts running as that user. For bash, as mentioned I'd
just import it with
[[ -f $HOME/.keychain/$HOSTNAME-sh ]] && source $HOME/.keychain/$HOSTNAME-sh
For the Perl script I needed to add:
$ENV{SSH_AGENT_PID}="4189";
$ENV{SSH_AUTH_SOCK}="/tmp/ssh-yheGAI4188/agent.4188";
Obviously, I'll read those in properly from ~/.keychain/$hostname-sh
in the final script but as proof of concept... :)
Will.