On Thursday 02 November 2006 06:58, Will McDonald wrote:
> Update: I've just tried removing the passphrase from the private key
> and now Net::SSH::Perl is happily reading it and using it to
> authenticate so now I suppose the questions is can I use it with a
> passworded private key...
Are you sure that apache reads all it's login scripts when forking to run a
CGI? It looked as if you were having something auto-add your key through
ssh-agent on su - apache.
Are you really looking for a passworded key? If you are just including the
password in a script along with the key you really aren't increasing your
security at all, but you are increasing the complexity. As long as you trust
the integrity of the box the private key is stored on, you should be fine.
If an attacker gets into this box, it's not a great leap to assume they'll be
able to find a passphrase supplied in a script if they find the CGI (and it's
not a great leap to think they might look for that when finding an SSH
private key associated with user apache).
Have you considered SUExec? That way you aren't running as Apache, but as a
specified account. This might also limit exposure in the case that there is
an Apache exploit that gives privileges to users as the apache user.
--
- Kevan Benson
- A-1 Networks
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
