Jonathan Duncan wrote:
> Ok, so this is what I have done:
>
> *-*-*-*-*-*-*-*-*-*-*
> $idResults = `sudo -u admin ssh admin@xxxxxxxxxxx id usertocheck 2>&1`;
> echo "id: (".$idResults.")\r\n"."\r\n";
> if (ereg("no such user", $idResults)) {
> echo 'id blah!';
> }
> *-*-*-*-*-*-*-*-*-*-*
> So what I wanted to do is now working. My question now would be, are
> there
> any security concerns with how I am doing this?
That's kind of a "bad question" :-)
To some degree, the very fact that you *ARE* doing this -- allowing one
machine to know for certain what is or isn't a valid username on another
-- is a security risk.
But, assuming you really understand that, and consider that an acceptable
risk...
Certainly using sudo to admin is better than some options. But what else
can 'admin' do? Assuming 'admin' can do all sorts of nasty things, it
would be even better to create a new user, say, 'serverBchecker' -- and
the *ONLY* purpose in life for this user is to be able to check usernames
on serverB. They should have read/write access to *NOTHING* *ELSE* on
your entire machine, A, or B, unless it's absolutely necessary to perform
the tasks required.
The next question issue isn't about how this script does what it does:
It's about who can access this script, and how, and when, and under what
circumstances.
What you really want to avoid, is anybody on the planet being able to
pound away at this script, trying every username they can think of, to
build up a list of valid usernames on serverB.
If you can restrict access to this script, in any way, to any degree, you
are reducing your risk.
Can it be behind an SSL connection, with only trusted users logging in
through a known safe authentication system?
Can you do just the login?
Just the SSL?
Can you at least build the system so that if somebody tries to check more
than N usernames in time period T, they are locked out?
We don't really know what you are doing, or why you need this, but you're
on thin ice, so put on your criminal hat, and figure out what the bad guys
are likely to try, and then make it harder for them to try that.
--
Like Music?
http://l-i-e.com/artists.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
