Will McDonald
2006-Nov-02 10:53 UTC
[CentOS] Using perl-Net-SSH-Perl with pubkey authentication under CGI.
Guys, I wonder if anyone can give me any pointers here, I hope it's CentOS related enough not to be too off topic, if it is then apologies. I'm attempting to setup a CGI which can connect to a remote system and execute a command. On the 'client', for the Apache user 'apache' I've given it a shell and generated a key-pair. I've configured Keychain [ http://www.gentoo.org/proj/en/keychain/ ] to load the keys for the apache user and make these persistently available via ssh-agent. I've setup a specific user 'cgissh' on the remote target system and configured its authorized_keys with apache at client's pubkey.>From the client system, running the following script from the shellreturns the information I'd expect... [apache at webdev1 cgi-bin]$ cat perl-net-ssh-perl-test.pl #!/usr/bin/perl print "Content-type: text/html\n\n"; print "<HEAD><TITLE>Quick Test</TITLE></HEAD>"; $ENV{HOME} = "/var/www"; $ENV{USER} = "apache"; use Net::SSH::Perl; $sshhost='target'; $sshuser='cgissh'; $sshport='22'; $sshprotocol='2'; $sshdebug='1'; $sshcipher='3des-cbc'; $sshconn = Net::SSH::Perl->new($sshhost, protocol=>$sshprotocol, port=>$sshport, debug=>$sshdebug, cipher=>$sshcipher); $sshconn->login($sshuser); my($out,$err) = $sshconn->cmd('hostname'); print "<HTML>"; print "<BODY>"; print $out; print "</HTML>"; print "</BODY>"; It's definately using the pubkey information from Keychain as the target system ONLY accepts key-based authentication and I'm "su - apache"d to run the script so it's not picking up another users ssh-agent key info from the environment. Attempting to execute the same script as a CGI by accessing http://client/cgi-bin/perl-net-ssh-perl-test.pl results in the following in the logs... [Wed Nov 01 17:10:53 2006] [error] [client 192.168.1.2] clienthostname: Reading configuration data /var/www/.ssh/config [Wed Nov 01 17:10:53 2006] [error] [client 192.168.1.2] clienthostname: Reading configuration data /etc/ssh_config [Wed Nov 01 17:10:53 2006] [error] [client 192.168.1.2] clienthostname: Connecting to manlvs1, port 2251. [Wed Nov 01 17:10:53 2006] [error] [client 192.168.1.2] clienthostname: Remote version string: SSH-2.0-OpenSSH_3.9p1 [Wed Nov 01 17:10:53 2006] [error] [client 192.168.1.2] [Wed Nov 01 17:10:53 2006] [error] [client 192.168.1.2] clienthostname: Remote protocol version 2.0, remote software version OpenSSH_3.9p 1 [Wed Nov 01 17:10:53 2006] [error] [client 192.168.1.2] clienthostname: Net::SSH::Perl Version 1.30, protocol version 2.0. [Wed Nov 01 17:10:53 2006] [error] [client 192.168.1.2] clienthostname: No compat match: OpenSSH_3.9p1. [Wed Nov 01 17:10:53 2006] [error] [client 192.168.1.2] clienthostname: Connection established. [Wed Nov 01 17:10:53 2006] [error] [client 192.168.1.2] clienthostname: Sent key-exchange init (KEXINIT), wait response. [Wed Nov 01 17:10:53 2006] [error] [client 192.168.1.2] clienthostname: Algorithms, c->s: 3des-cbc hmac-sha1 none [Wed Nov 01 17:10:53 2006] [error] [client 192.168.1.2] clienthostname: Algorithms, s->c: 3des-cbc hmac-sha1 none [Wed Nov 01 17:11:30 2006] [error] [client 192.168.1.2] clienthostname: Entering Diffie-Hellman Group 1 key exchange. [Wed Nov 01 17:11:30 2006] [error] [client 192.168.1.2] clienthostname: Sent DH public key, waiting for reply. [Wed Nov 01 17:11:30 2006] [error] [client 192.168.1.2] clienthostname: Received host key, type 'ssh-dss'. [Wed Nov 01 17:11:30 2006] [error] [client 192.168.1.2] clienthostname: Host 'manlvs1' is known and matches the host key. [Wed Nov 01 17:11:30 2006] [error] [client 192.168.1.2] clienthostname: Computing shared secret key. [Wed Nov 01 17:12:07 2006] [error] [client 192.168.1.2] clienthostname: Verifying server signature. [Wed Nov 01 17:12:18 2006] [error] [client 192.168.1.2] clienthostname: Waiting for NEWKEYS message. [Wed Nov 01 17:12:18 2006] [error] [client 192.168.1.2] clienthostname: Enabling incoming encryption/MAC/compression. [Wed Nov 01 17:12:18 2006] [error] [client 192.168.1.2] clienthostname: Send NEWKEYS, enable outgoing encryption/MAC/compression. [Wed Nov 01 17:12:18 2006] [error] [client 192.168.1.2] clienthostname: Sending request for user-authentication service. [Wed Nov 01 17:12:18 2006] [error] [client 192.168.1.2] clienthostname: Service accepted: ssh-userauth. [Wed Nov 01 17:12:18 2006] [error] [client 192.168.1.2] clienthostname: Trying empty user-authentication request. [Wed Nov 01 17:12:18 2006] [error] [client 192.168.1.2] clienthostname: Authentication methods that can continue: publickey,keyboard-interactive. [Wed Nov 01 17:12:18 2006] [error] [client 192.168.1.2] clienthostname: Next method to try is publickey. [Wed Nov 01 17:12:18 2006] [error] [client 192.168.1.2] clienthostname: Trying pubkey authentication with key file '/var/www/.ssh/id_dsa' [Wed Nov 01 17:12:18 2006] [error] [client 192.168.1.2] clienthostname: Will not query passphrase for '/var/www/.ssh/id_dsa' in batch mode. [Wed Nov 01 17:12:18 2006] [error] [client 192.168.1.2] clienthostname: Loading private key failed. [Wed Nov 01 17:12:18 2006] [error] [client 192.168.1.2] Permission denied at /home/clientusername/cgi-bin/perl-net-ssh-per l-test.pl line 18 Why is it failing to load the private key? Do I need to source something from the shell into the Perl script as would with a shell script to use the Keychain agent information? If this was a shell script I'd have used '[[ -f $HOME/.keychain/$HOSTNAME-sh ]] && source $HOME/.keychain/$HOSTNAME-sh'. Additional info: Both systems are up-to-date CentOS 4.4 systems running the default Apache with perl-Net-SSH-Perl and its dependencies from RPMForge. Any pointers greatly appreciated. Will.
Marc
2006-Nov-02 14:02 UTC
[CentOS] Using perl-Net-SSH-Perl with pubkey authentication underCGI.
hey Will, We don't use keychain, but we do use Net::SSH::Perl through apache on CentOS and RHEL. Couple questions. Can you become the apache user and manually ssh into cgissh at target with/without a password? If so can you manually run your script outside of apache? No group or other write permission set on any of the directories above your keys? Anything in syslog on the ssh server side concerning why permission was denied? I will say that once you get it working, make sure you have the following perl modules installed. It will drastically increase the speed of your handshaking. At least it did for us. Crypt-DH 0.03 (Yes, older version) IO Math-BigInt-GMP hope this helps, marc> -----Original Message----- > From: Will McDonald > Sent: Thursday, November 02, 2006 5:54 AM > To: CentOS mailing list > Subject: [CentOS] Using perl-Net-SSH-Perl with pubkey > authentication underCGI. > > Guys, I wonder if anyone can give me any pointers here, I hope it's > CentOS related enough not to be too off topic, if it is then > apologies. > > I'm attempting to setup a CGI which can connect to a remote system and > execute a command. > > On the 'client', for the Apache user 'apache' I've given it a shell > and generated a key-pair. I've configured Keychain [ > http://www.gentoo.org/proj/en/keychain/ ] to load the keys for the > apache user and make these persistently available via ssh-agent. > > I've setup a specific user 'cgissh' on the remote target system and > configured its authorized_keys with apache at client's pubkey. > > >From the client system, running the following script from the shell > returns the information I'd expect... > > [apache at webdev1 cgi-bin]$ cat perl-net-ssh-perl-test.pl > #!/usr/bin/perl > > print "Content-type: text/html\n\n"; > print "<HEAD><TITLE>Quick Test</TITLE></HEAD>"; > > $ENV{HOME} = "/var/www"; > $ENV{USER} = "apache"; > > use Net::SSH::Perl; > > $sshhost='target'; > $sshuser='cgissh'; > $sshport='22'; > $sshprotocol='2'; > $sshdebug='1'; > $sshcipher='3des-cbc'; > $sshconn = Net::SSH::Perl->new($sshhost, protocol=>$sshprotocol, > port=>$sshport, debug=>$sshdebug, cipher=>$sshcipher); > $sshconn->login($sshuser); > my($out,$err) = $sshconn->cmd('hostname'); > > print "<HTML>"; > print "<BODY>"; > > print $out; > > print "</HTML>"; > print "</BODY>"; > > It's definately using the pubkey information from Keychain as the > target system ONLY accepts key-based authentication and I'm "su - > apache"d to run the script so it's not picking up another users > ssh-agent key info from the environment. > > Attempting to execute the same script as a CGI by accessing > http://client/cgi-bin/perl-net-ssh-perl-test.pl results in the > following in the logs... > > [Wed Nov 01 17:10:53 2006] [error] [client 192.168.1.2] > clienthostname: Reading configuration data /var/www/.ssh/config > [Wed Nov 01 17:10:53 2006] [error] [client 192.168.1.2] > clienthostname: Reading configuration data /etc/ssh_config > [Wed Nov 01 17:10:53 2006] [error] [client 192.168.1.2] > clienthostname: Connecting to manlvs1, port 2251. > [Wed Nov 01 17:10:53 2006] [error] [client 192.168.1.2] > clienthostname: Remote version string: SSH-2.0-OpenSSH_3.9p1 > [Wed Nov 01 17:10:53 2006] [error] [client 192.168.1.2] > [Wed Nov 01 17:10:53 2006] [error] [client 192.168.1.2] > clienthostname: Remote protocol version 2.0, remote software version > OpenSSH_3.9p 1 > [Wed Nov 01 17:10:53 2006] [error] [client 192.168.1.2] > clienthostname: Net::SSH::Perl Version 1.30, protocol version 2.0. > [Wed Nov 01 17:10:53 2006] [error] [client 192.168.1.2] > clienthostname: No compat match: OpenSSH_3.9p1. > [Wed Nov 01 17:10:53 2006] [error] [client 192.168.1.2] > clienthostname: Connection established. > [Wed Nov 01 17:10:53 2006] [error] [client 192.168.1.2] > clienthostname: Sent key-exchange init (KEXINIT), wait response. > [Wed Nov 01 17:10:53 2006] [error] [client 192.168.1.2] > clienthostname: Algorithms, c->s: 3des-cbc hmac-sha1 none > [Wed Nov 01 17:10:53 2006] [error] [client 192.168.1.2] > clienthostname: Algorithms, s->c: 3des-cbc hmac-sha1 none > [Wed Nov 01 17:11:30 2006] [error] [client 192.168.1.2] > clienthostname: Entering Diffie-Hellman Group 1 key exchange. > [Wed Nov 01 17:11:30 2006] [error] [client 192.168.1.2] > clienthostname: Sent DH public key, waiting for reply. > [Wed Nov 01 17:11:30 2006] [error] [client 192.168.1.2] > clienthostname: Received host key, type 'ssh-dss'. > [Wed Nov 01 17:11:30 2006] [error] [client 192.168.1.2] > clienthostname: Host 'manlvs1' is known and matches the host key. > [Wed Nov 01 17:11:30 2006] [error] [client 192.168.1.2] > clienthostname: Computing shared secret key. > [Wed Nov 01 17:12:07 2006] [error] [client 192.168.1.2] > clienthostname: Verifying server signature. > [Wed Nov 01 17:12:18 2006] [error] [client 192.168.1.2] > clienthostname: Waiting for NEWKEYS message. > [Wed Nov 01 17:12:18 2006] [error] [client 192.168.1.2] > clienthostname: Enabling incoming encryption/MAC/compression. > [Wed Nov 01 17:12:18 2006] [error] [client 192.168.1.2] > clienthostname: Send NEWKEYS, enable outgoing > encryption/MAC/compression. > [Wed Nov 01 17:12:18 2006] [error] [client 192.168.1.2] > clienthostname: Sending request for user-authentication service. > [Wed Nov 01 17:12:18 2006] [error] [client 192.168.1.2] > clienthostname: Service accepted: ssh-userauth. > [Wed Nov 01 17:12:18 2006] [error] [client 192.168.1.2] > clienthostname: Trying empty user-authentication request. > [Wed Nov 01 17:12:18 2006] [error] [client 192.168.1.2] > clienthostname: Authentication methods that can continue: > publickey,keyboard-interactive. > [Wed Nov 01 17:12:18 2006] [error] [client 192.168.1.2] > clienthostname: Next method to try is publickey. > [Wed Nov 01 17:12:18 2006] [error] [client 192.168.1.2] > clienthostname: Trying pubkey authentication with key file > '/var/www/.ssh/id_dsa' > [Wed Nov 01 17:12:18 2006] [error] [client 192.168.1.2] > clienthostname: Will not query passphrase for '/var/www/.ssh/id_dsa' > in batch mode. > [Wed Nov 01 17:12:18 2006] [error] [client 192.168.1.2] > clienthostname: Loading private key failed. > [Wed Nov 01 17:12:18 2006] [error] [client 192.168.1.2] Permission > denied at /home/clientusername/cgi-bin/perl-net-ssh-per l-test.pl line > 18 > > Why is it failing to load the private key? Do I need to source > something from the shell into the Perl script as would with a shell > script to use the Keychain agent information? If this was a shell > script I'd have used '[[ -f $HOME/.keychain/$HOSTNAME-sh ]] && source > $HOME/.keychain/$HOSTNAME-sh'. > > Additional info: Both systems are up-to-date CentOS 4.4 systems > running the default Apache with perl-Net-SSH-Perl and its dependencies > from RPMForge. > > Any pointers greatly appreciated. > > Will.
Seemingly Similar Threads
- Samba 2.2 vs. 3: Domain Member & Winbind quick question
- Keychain Patch Try II
- SOLVED: Re: Using perl-Net-SSH-Perl with pubkey authentication under CGI.
- Mac OS X Keychain Support
- flood of (auth in progress) connections from unresponsive windows client crashing samba