cannot see the echo sshpass output in my portal
 

Hello guys,

Thanks for allow me to be part of this community. I very new at Linux and I'm running my first project. So far I guess is working however when I want to display the output of a command in the html portal I dont see anything. Here is the bash:



#!/bin/bash
read -p "Mac given: " Add

if [ "$1" != "" ] ; then
Add=$1
fi

echo "Content-type: text/html"
echo $Add <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<this output is visible and i can confirm that what ever I receive from the PHP script is correct

echo ""
echo "<html><head><title>Bash as CGI"
echo "</title></head><body>"

echo "<center><h1>Find the information below</h1></center>"

echo $(sshpass -p XXXXX ssh XXXXXX@XXXXX show mac address-table address $Add) >>>>> Here is where it fails. If I run the batch I can see the output but if I go the portal I dont see anything.

echo ""
echo "<center>INITIAL TEST</center>"
echo "</body></html>"

Any help will be much appreciated !

Without commenting on the security considerations...but please read those in man sshpass

What does the web server -access and -error logs contain? If there's an error, it should be logged in the error_log.

I know, needs a lot work on that side but I want to make it work first. I have too few exposure on this world.
The command works, if I run it directly from the server I can see the correct out put.

let me check what the log says.

Thanks !!

ok, Permission denied...the last part I check the one that had the solution. Thanks for the advise again!

Using shell for CGI is fine but the way you are going about the work flow here provides several glaring security holes. Security is part of the intial design process and cannot be bolted on afterwards. If you need an example of bad design, look at the 40+ years of M$ garbage. So please reconsider your work flow to include security from the beginning.

Any data coming in from the outside is filthy and cannot be safely used or passed on to other programs without first being sanitized or at least validated. For example, someone could pass a single line of instructions and get a full reverse shell to $1, instead of what you were expecting:

So what are the allowed ranges or values for the $Add variable? Write a routine for your shell script to make sure it is clean.

Then as for the SSH password, don't use one, use an SSH key instead. SSH keys can be locked to a single program. Then on the server side, lock down the key with command="..." in authorized_keys. Substitute your details for the ... there. If you need to pass information, then make use of the $SSH_ORIGINAL_COMMAND environment variable and mine that for what you need. Again, keep in mind that information from the variable must be sanitized before use.

Hello Turbocapitalist, those are very useful recommendation for me, honestly I didn't think on that before maybe coz my lack of experience. But I will review all of it before sharing the portal with any user for sure.

The variable comes from a HTML format that is send to PHP script then from there I run the bash, I wont take all the credit, I took that flow from here and there and just put them together according to what I needed and made it work. It was simple but for my took me around a week :S.

I can do certs for sure to connect to my equipment and I didn't know I could do that in regards of the command recommendation which I'm planning to do it that way.

Any other observation is more than welcome!