[CentOS] SOLVED: Re: Using perl-Net-SSH-Perl with pubkey authentication under CGI.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 02/11/06, Will McDonald <wmcdonald@xxxxxxxxx> wrote:
Guys, I wonder if anyone can give me any pointers here, I hope it's
CentOS related enough not to be too off topic, if it is then
apologies.

Thanks to Marc and Ingimar for their suggestions, I think we've cracked it.

When Keychain runs it prompts the user for their private key password
then stores the ssh-agent information away in ~/.keychain/$hostname-sh
and ~/.keychain/$hostname-csh. For example...

[root@webdev1 ~]# cat ~apache/.keychain/`hostname`-sh
SSH_AUTH_SOCK=/tmp/ssh-yheGAI4188/agent.4188; export SSH_AUTH_SOCK;
SSH_AGENT_PID=4189; export SSH_AGENT_PID;

Ingimar suggested these environment variables might not be available
to the CGI environment and he was spot on. It appears Agent.pm from
Net::SSH::Perl looks for these in the environment and can find them
when scripts are run from the shell because they're there (duh me :)).

So, setup a password protected keypair and run Keychain from
.bash_profile as follows...

[root@webdev1 ~]# cat ~apache/.bash_profile
keychain --nogui id_dsa --clear
[[ -f $HOME/.keychain/$HOSTNAME-sh ]] && source $HOME/.keychain/$HOSTNAME-sh
[[ -f $HOME/.keychain/$HOSTNAME-sh-gpg ]] && source
$HOME/.keychain/$HOSTNAME-sh-gpg

The '--clear' will remove all Keychain information on login (though
not perfectly, it could be circumvented with a well-timed CTRL-C) but,
critically, leave it available for non-interactive sessions if you
login, enter private key passphrase then logout.

You'll initially need to "su - apache" once if the box reboots and you
need to enter the private key password if you need to 'su' to do
anything else as the user, otherwise the ssh-agent information is
available to scripts running as that user. For bash, as mentioned I'd
just import it with

[[ -f $HOME/.keychain/$HOSTNAME-sh ]] && source $HOME/.keychain/$HOSTNAME-sh

For the Perl script I needed to add:

$ENV{SSH_AGENT_PID}="4189";
$ENV{SSH_AUTH_SOCK}="/tmp/ssh-yheGAI4188/agent.4188";

Obviously, I'll read those in properly from ~/.keychain/$hostname-sh
in the final script but as proof of concept... :)

Will.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux