On Thursday 02 November 2006 06:58, Will McDonald wrote: > Update: I've just tried removing the passphrase from the private key > and now Net::SSH::Perl is happily reading it and using it to > authenticate so now I suppose the questions is can I use it with a > passworded private key... Are you sure that apache reads all it's login scripts when forking to run a CGI? It looked as if you were having something auto-add your key through ssh-agent on su - apache. Are you really looking for a passworded key? If you are just including the password in a script along with the key you really aren't increasing your security at all, but you are increasing the complexity. As long as you trust the integrity of the box the private key is stored on, you should be fine. If an attacker gets into this box, it's not a great leap to assume they'll be able to find a passphrase supplied in a script if they find the CGI (and it's not a great leap to think they might look for that when finding an SSH private key associated with user apache). Have you considered SUExec? That way you aren't running as Apache, but as a specified account. This might also limit exposure in the case that there is an Apache exploit that gives privileges to users as the apache user. -- - Kevan Benson - A-1 Networks