On 02/11/06, Marc <wia at iglass.net> wrote: > hey Will, Hi Marc, thanks for responding. > We don't use keychain, but we do use Net::SSH::Perl through apache > on CentOS and RHEL. The reason I'm using Keychain is to provide passwordless authentication whilst still having passworded private keys, if you can see where I'm coming from. > Couple questions. Can you become the apache user and manually > ssh into cgissh at target with/without a password? If so can you > manually run your script outside of apache? No group or other write > permission set on any of the directories above your keys? Anything > in syslog on the ssh server side concerning why permission was > denied? Yep, SSH from client to target as the intended users is OK, as allowing CGIs to connect to other systems and run command isn't an ideal situation security-wise I've been very strict with permissions and ownerships, but it does work and I've loosened them just on the off chance it was a permissions thing. Here's a snippet of me su - ing and connecting to the target system... [root at webdev1 ~]# su - apache KeyChain 2.5.1; http://www.gentoo.org/proj/en/keychain/ Copyright 2002-2004 Gentoo Foundation; Distributed under the GPL * Found existing ssh-agent (4189) * ssh-agent: All identities removed. * Adding 1 ssh key(s)... Enter passphrase for /var/www/.ssh/id_dsa: Identity added: /var/www/.ssh/id_dsa (/var/www/.ssh/id_dsa) [apache at webdev1 ~]$ ssh -p2251 -lcgissh manlvs1 hostname manlvs1b Running the CGI script from the command line behaves the same, i.e. it connects, executes 'hostname' and returns the correct response. > I will say that once you get it working, make sure you have the > following perl modules installed. It will drastically increase the > speed of your handshaking. At least it did for us. > > Crypt-DH 0.03 (Yes, older version) > IO > Math-BigInt-GMP I had noticed a _considerable_ speed overhead using Net::SSH::Perl but I'd put that aside as something to address once I've got it working as expected, I'll have a look at those modules, thanks. Will.