[CentOS] SOLVED: Re: Using perl-Net-SSH-Perl with pubkey authentication under CGI.

Thu Nov 2 17:37:45 UTC 2006
Will McDonald <wmcdonald at gmail.com>

On 02/11/06, Will McDonald <wmcdonald at gmail.com> wrote:
> Guys, I wonder if anyone can give me any pointers here, I hope it's
> CentOS related enough not to be too off topic, if it is then
> apologies.

Thanks to Marc and Ingimar for their suggestions, I think we've cracked it.

When Keychain runs it prompts the user for their private key password
then stores the ssh-agent information away in ~/.keychain/$hostname-sh
and ~/.keychain/$hostname-csh. For example...

[root at webdev1 ~]# cat ~apache/.keychain/`hostname`-sh
SSH_AUTH_SOCK=/tmp/ssh-yheGAI4188/agent.4188; export SSH_AUTH_SOCK;
SSH_AGENT_PID=4189; export SSH_AGENT_PID;

Ingimar suggested these environment variables might not be available
to the CGI environment and he was spot on. It appears Agent.pm from
Net::SSH::Perl looks for these in the environment and can find them
when scripts are run from the shell because they're there (duh me :)).

So, setup a password protected keypair and run Keychain from
.bash_profile as follows...

[root at webdev1 ~]# cat ~apache/.bash_profile
keychain --nogui id_dsa --clear
[[ -f $HOME/.keychain/$HOSTNAME-sh ]] && source $HOME/.keychain/$HOSTNAME-sh
[[ -f $HOME/.keychain/$HOSTNAME-sh-gpg ]] && source
$HOME/.keychain/$HOSTNAME-sh-gpg

The '--clear' will remove all Keychain information on login (though
not perfectly, it could be circumvented with a well-timed CTRL-C) but,
critically, leave it available for non-interactive sessions if you
login, enter private key passphrase then logout.

You'll initially need to "su - apache" once if the box reboots and you
need to enter the private key password if you need to 'su' to do
anything else as the user, otherwise the ssh-agent information is
available to scripts running as that user. For bash, as mentioned I'd
just import it with

[[ -f $HOME/.keychain/$HOSTNAME-sh ]] && source $HOME/.keychain/$HOSTNAME-sh

For the Perl script I needed to add:

$ENV{SSH_AGENT_PID}="4189";
$ENV{SSH_AUTH_SOCK}="/tmp/ssh-yheGAI4188/agent.4188";

Obviously, I'll read those in properly from ~/.keychain/$hostname-sh
in the final script but as proof of concept... :)

Will.