[CentOS] Using perl-Net-SSH-Perl with pubkey authentication underCGI.
Will McDonald
wmcdonald at gmail.com
Thu Nov 2 14:42:29 UTC 2006
On 02/11/06, Marc <wia at iglass.net> wrote:
> hey Will,
Hi Marc, thanks for responding.
> We don't use keychain, but we do use Net::SSH::Perl through apache
> on CentOS and RHEL.
The reason I'm using Keychain is to provide passwordless
authentication whilst still having passworded private keys, if you can
see where I'm coming from.
> Couple questions. Can you become the apache user and manually
> ssh into cgissh at target with/without a password? If so can you
> manually run your script outside of apache? No group or other write
> permission set on any of the directories above your keys? Anything
> in syslog on the ssh server side concerning why permission was
> denied?
Yep, SSH from client to target as the intended users is OK, as
allowing CGIs to connect to other systems and run command isn't an
ideal situation security-wise I've been very strict with permissions
and ownerships, but it does work and I've loosened them just on the
off chance it was a permissions thing.
Here's a snippet of me su - ing and connecting to the target system...
[root at webdev1 ~]# su - apache
KeyChain 2.5.1; http://www.gentoo.org/proj/en/keychain/
Copyright 2002-2004 Gentoo Foundation; Distributed under the GPL
* Found existing ssh-agent (4189)
* ssh-agent: All identities removed.
* Adding 1 ssh key(s)...
Enter passphrase for /var/www/.ssh/id_dsa:
Identity added: /var/www/.ssh/id_dsa (/var/www/.ssh/id_dsa)
[apache at webdev1 ~]$ ssh -p2251 -lcgissh manlvs1 hostname
manlvs1b
Running the CGI script from the command line behaves the same, i.e. it
connects, executes 'hostname' and returns the correct response.
> I will say that once you get it working, make sure you have the
> following perl modules installed. It will drastically increase the
> speed of your handshaking. At least it did for us.
>
> Crypt-DH 0.03 (Yes, older version)
> IO
> Math-BigInt-GMP
I had noticed a _considerable_ speed overhead using Net::SSH::Perl but
I'd put that aside as something to address once I've got it working as
expected, I'll have a look at those modules, thanks.
Will.
More information about the CentOS
mailing list