[CentOS] Using perl-Net-SSH-Perl with pubkey authentication underCGI.

Will McDonald wmcdonald at gmail.com
Thu Nov 2 14:42:29 UTC 2006

On 02/11/06, Marc <wia at iglass.net> wrote:
> hey Will,

Hi Marc, thanks for responding.

> We don't use keychain, but we do use Net::SSH::Perl through apache
> on CentOS and RHEL.

The reason I'm using Keychain is to provide passwordless
authentication whilst still having passworded private keys, if you can
see where I'm coming from.

> Couple questions.  Can you become the apache user and manually
> ssh into  cgissh at target with/without a password?   If so can you
> manually run your script outside of apache?   No group or other write
> permission set on any of the directories above your keys?  Anything
> in syslog on the ssh server side concerning why permission was
> denied?

Yep, SSH from client to target as the intended users is OK, as
allowing CGIs to connect to other systems and run command isn't an
ideal situation security-wise I've been very strict with permissions
and ownerships, but it does work and I've loosened them just on the
off chance it was a permissions thing.

Here's a snippet of me su - ing and connecting to the target system...

[root at webdev1 ~]# su - apache

KeyChain 2.5.1; http://www.gentoo.org/proj/en/keychain/
Copyright 2002-2004 Gentoo Foundation; Distributed under the GPL

 * Found existing ssh-agent (4189)
 * ssh-agent: All identities removed.
 * Adding 1 ssh key(s)...
Enter passphrase for /var/www/.ssh/id_dsa:
Identity added: /var/www/.ssh/id_dsa (/var/www/.ssh/id_dsa)

[apache at webdev1 ~]$ ssh -p2251 -lcgissh manlvs1 hostname

Running the CGI script from the command line behaves the same, i.e. it
connects, executes 'hostname' and returns the correct response.

> I will say that once you get it working, make sure you have the
> following perl modules installed.  It will drastically increase the
> speed of your handshaking.  At least it did for us.
> Crypt-DH 0.03  (Yes, older version)
> IO
> Math-BigInt-GMP

I had noticed a _considerable_ speed overhead using Net::SSH::Perl but
I'd put that aside as something to address once I've got it working as
expected, I'll have a look at those modules, thanks.


More information about the CentOS mailing list