[CentOS] Using perl-Net-SSH-Perl with pubkey authentication underCGI.

Thu Nov 2 18:39:46 UTC 2006
Kevan Benson <kbenson at a-1networks.com>

On Thursday 02 November 2006 06:58, Will McDonald wrote:
> Update: I've just tried removing the passphrase from the private key
> and now Net::SSH::Perl is happily reading it and using it to
> authenticate so now I suppose the questions is can I use it with a
> passworded private key...

Are you sure that apache reads all it's login scripts when forking to run a 
CGI?  It looked as if you were having something auto-add your key through 
ssh-agent on su - apache.

Are you really looking for a passworded key?  If you are just including the 
password in a script along with the key you really aren't increasing your 
security at all, but you are increasing the complexity.  As long as you trust 
the integrity of the box the private key is stored on, you should be fine.  
If an attacker gets into this box, it's not a great leap to assume they'll be 
able to find a passphrase supplied in a script if they find the CGI (and it's 
not a great leap to think they might look for that when finding an SSH 
private key associated with user apache).

Have you considered SUExec?  That way you aren't running as Apache, but as a 
specified account.  This might also limit exposure in the case that there is 
an Apache exploit that gives privileges to users as the apache user.

-- 
- Kevan Benson
- A-1 Networks