[CentOS] Using perl-Net-SSH-Perl with pubkey authentication underCGI.
wmcdonald at gmail.com
Thu Nov 2 14:42:29 UTC 2006
On 02/11/06, Marc <wia at iglass.net> wrote:
> hey Will,
Hi Marc, thanks for responding.
> We don't use keychain, but we do use Net::SSH::Perl through apache
> on CentOS and RHEL.
The reason I'm using Keychain is to provide passwordless
authentication whilst still having passworded private keys, if you can
see where I'm coming from.
> Couple questions. Can you become the apache user and manually
> ssh into cgissh at target with/without a password? If so can you
> manually run your script outside of apache? No group or other write
> permission set on any of the directories above your keys? Anything
> in syslog on the ssh server side concerning why permission was
Yep, SSH from client to target as the intended users is OK, as
allowing CGIs to connect to other systems and run command isn't an
ideal situation security-wise I've been very strict with permissions
and ownerships, but it does work and I've loosened them just on the
off chance it was a permissions thing.
Here's a snippet of me su - ing and connecting to the target system...
[root at webdev1 ~]# su - apache
KeyChain 2.5.1; http://www.gentoo.org/proj/en/keychain/
Copyright 2002-2004 Gentoo Foundation; Distributed under the GPL
* Found existing ssh-agent (4189)
* ssh-agent: All identities removed.
* Adding 1 ssh key(s)...
Enter passphrase for /var/www/.ssh/id_dsa:
Identity added: /var/www/.ssh/id_dsa (/var/www/.ssh/id_dsa)
[apache at webdev1 ~]$ ssh -p2251 -lcgissh manlvs1 hostname
Running the CGI script from the command line behaves the same, i.e. it
connects, executes 'hostname' and returns the correct response.
> I will say that once you get it working, make sure you have the
> following perl modules installed. It will drastically increase the
> speed of your handshaking. At least it did for us.
> Crypt-DH 0.03 (Yes, older version)
I had noticed a _considerable_ speed overhead using Net::SSH::Perl but
I'd put that aside as something to address once I've got it working as
expected, I'll have a look at those modules, thanks.
More information about the CentOS