[CentOS] Using perl-Net-SSH-Perl with pubkey authentication underCGI.

Thu Nov 2 14:58:59 UTC 2006
Will McDonald <wmcdonald at gmail.com>

On 02/11/06, Will McDonald <wmcdonald at gmail.com> wrote:
> On 02/11/06, Marc <wia at iglass.net> wrote:
> > hey Will,
>
> Hi Marc, thanks for responding.
>
> > We don't use keychain, but we do use Net::SSH::Perl through apache
> > on CentOS and RHEL.
>
> The reason I'm using Keychain is to provide passwordless
> authentication whilst still having passworded private keys, if you can
> see where I'm coming from.
>
> > Couple questions.  Can you become the apache user and manually
> > ssh into  cgissh at target with/without a password?   If so can you
> > manually run your script outside of apache?   No group or other write
> > permission set on any of the directories above your keys?  Anything
> > in syslog on the ssh server side concerning why permission was
> > denied?

Update: I've just tried removing the passphrase from the private key
and now Net::SSH::Perl is happily reading it and using it to
authenticate so now I suppose the questions is can I use it with a
passworded private key...

[apache at webdev1 .ssh]$ ssh-keygen -f id_dsa -p
Enter old passphrase:
Key has comment 'id_dsa'
Enter new passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved with the new passphrase.

Compare passwordless log excerpt:

[Thu Nov 02 14:48:54 2006] [error] [client 192.168.24.111] webdev1:
Trying empty user-authentication request.
[Thu Nov 02 14:48:54 2006] [error] [client 192.168.24.111] webdev1:
Authentication methods that can continue: publickey,keyboard-in
teractive.
[Thu Nov 02 14:48:54 2006] [error] [client 192.168.24.111] webdev1:
Next method to try is publickey.
[Thu Nov 02 14:48:54 2006] [error] [client 192.168.24.111] webdev1:
Trying pubkey authentication with key file '/var/www/.ssh/id_ds
a'
[Thu Nov 02 14:49:00 2006] [error] [client 192.168.24.111] webdev1:
Login completed, opening dummy shell channel.
[Thu Nov 02 14:49:00 2006] [error] [client 192.168.24.111] webdev1:
channel 0: new [client-session]

With passworded:

[Wed Nov 01 17:12:18 2006] [error] [client 192.168.24.111] webdev1:
Authentication methods that can continue: publickey,keyboard-in
teractive.
[Wed Nov 01 17:12:18 2006] [error] [client 192.168.24.111] webdev1:
Next method to try is publickey.
[Wed Nov 01 17:12:18 2006] [error] [client 192.168.24.111] webdev1:
Trying pubkey authentication with key file '/var/www/.ssh/id_ds
a'
[Wed Nov 01 17:12:18 2006] [error] [client 192.168.24.111] webdev1:
Will not query passphrase for '/var/www/.ssh/id_dsa' in batch m
ode.
[Wed Nov 01 17:12:18 2006] [error] [client 192.168.24.111] webdev1:
Loading private key failed.
[Wed Nov 01 17:12:18 2006] [error] [client 192.168.24.111] Permission
denied at ~/cgi-bin/perl-net-ssh-p
erl-test.pl line 18

I wonder, if I _force_ it out of batch mode, but with a passworded
key... nope, that's obviously being interpreted as "should be run in
interactive mode" and is erroring. So I guess the question is, how to
I get Net::SSH::Perl to source keys from a running ssh-agent as I
don't want to have passwordless private keys involved if I can avoid
it.

Will.