LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 07-28-2009, 08:58 AM   #1
peterjfrancis
LQ Newbie
 
Registered: Jul 2009
Posts: 3

Rep: Reputation: 0
Question SSH into a windows PC and run a command from PHP script


I am trying to SSH into a windows PC and run a command from a PHP script
Here is a typical command I am trying to execute, I also need to run a batch file on the windows box.

Code:
ssh user@192.168.10.131 cmd /c dir
The above works fine when typed into a terminal window on the Linux server but when I put that in my PHP script it refuses to work

The following is a fragment of code from my PHP script

Code:
$command = 'ssh user@192.168.10.131 "cmd /c dir"';
$return = shell_exec("$command");
Can anyone offer any pointers ? Thanks in advance !


Server = Linux (SME) with PHP5
Client = WinXP Pro
 
Old 07-28-2009, 09:04 AM   #2
Agrouf
Senior Member
 
Registered: Sep 2005
Location: France
Distribution: LFS
Posts: 1,591

Rep: Reputation: 79
Does the user running the php program (apache?) need a password to connect to user@192.168.10.131?
 
Old 07-29-2009, 02:38 AM   #3
peterjfrancis
LQ Newbie
 
Registered: Jul 2009
Posts: 3

Original Poster
Rep: Reputation: 0
Question

Quote:
Originally Posted by Agrouf View Post
Does the user running the php program (apache?) need a password to connect to user@192.168.10.131?
Hello Agrouf
The password is handled by public-key authentication.

The problem seems to be related to sending the command to the remote system via PHP as the commands all work when typed into a terminal
 
Old 07-29-2009, 07:04 AM   #4
Agrouf
Senior Member
 
Registered: Sep 2005
Location: France
Distribution: LFS
Posts: 1,591

Rep: Reputation: 79
But how are you executing the php script?
Are you calling php from the command line with your user, or are you using a browser to access a page served by apache?
 
Old 07-29-2009, 09:48 AM   #5
geek745
Member
 
Registered: Jul 2004
Location: Boston, MA
Distribution: Slackware; Ubuntu; Slax
Posts: 172
Blog Entries: 2

Rep: Reputation: 33
yes, Agrouf is getting at your problem, I think. If you are not running the apache or php servers as you (check httpd.conf for
Code:
user = www
or similar), then you should not expect the same behavior from it as from your user on the commandline - you should be able to duplicate the results by doing
Code:
su www bash
to get a shell with the web server user - then you will find your problem. Also, logs from the ssh server you're connecting to and possibly logs from the PHP script may also help diagnose what you need to change.

If it is possible, you will need to provide a private/public key pair to the web server user AND make sure that it can access it - ssh on the client will look in the user's home directory's .ssh/ to find ssh_config and the private key (id_rsa or similar), so you will need to put the private key into the web server user's home directory (find out what this is with grep -e "www" /etc/passwd). I do not know if the web server user needs to be able to login... in /etc/shadow, if there is a '!' instead of a password hash, that user does not have the privilege of logging into an interactive terminal... it may or may not make a difference.
 
Old 07-30-2009, 11:41 AM   #6
peterjfrancis
LQ Newbie
 
Registered: Jul 2009
Posts: 3

Original Poster
Rep: Reputation: 0
Hello Agrouf and geek745,
The script is called from a browser (and therefore Apache) and the user is reported as www by the following....

PHP Code:
$whoami shell_exec("whoami");
echo 
"whoami = " $whoami "<br>"

I checked httpd.conf as suggested by geek745 and found the following ....

Code:
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.  

# User/Group: The name (or #number) of the user/group to run httpd as.
#  On SCO (ODT 3) use User nouser and Group nogroup
#  On HPUX you may not be able to use shared memory as nobody, and the
#  suggested workaround is to create a user www and use that user.
#  NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET)
#  when the value of (unsigned)Group is above 60000; 
#  don't use Group nobody on these systems!

User www
Group www
from this it seems that httpd is running as www and that I can change who httpd runs as , however I don't understand how to do this.

Any suggestions.
I am new to Linux so please be gentle with me !!
 
Old 07-30-2009, 12:10 PM   #7
geek745
Member
 
Registered: Jul 2004
Location: Boston, MA
Distribution: Slackware; Ubuntu; Slax
Posts: 172
Blog Entries: 2

Rep: Reputation: 33
Quote:
I am new to Linux so please be gentle with me !!
No problem! Good work so far.

It is unclear so far how much you know about the SSH protocol and the public/private key authentication protocol, and on top of that, how to configure openssh to enable a client to connect to a particular host. Assuming you know how to do this, all you need to do is enable a password-less ssh connection from user www on the client machine to access the ssh server. I would recommend generating a new key, setting it to the www user's private key for this; then you would place the corresponding public key in the authorized_keys of the server so that www (the web/php server) can connect.

For the client system, when ssh is called by php as user www, it will check ~/.ssh, looking for the client configuration (ssh_config), and based on that and the server defaults (possibly in etc/ssh or /usr/etc), look for the private key to use for authentication. You will have to get all of this in order, which includes finding out which directory ~www points to - you can try to do
Code:
sudo cd ~www
and see what directory you change to, or you can grep /etc/passwd for www and see what the home directory is listed as there (both methods should get you to the same spot in your filesystem, possibly /var/www, /srv/www, or something similar). I do not know if ssh requires the user's account to be login-able, which I mentioned before... you may have to alter that setting and set a password for www for outbound ssh to work.

So, assuming you get all these files lined up, www should behave just like your user account and connect to the ssh server just fine.

I would like to point out some security risks, however.
  1. passwordless (no passphrase) ssh keys can be a vulnerability when the world at large has access to that user account - no further checks are necessary for a hijacked php script to perform any operation that www can usually do
  2. allowing logins to 'www' could also grant access to that account, and through that account, the server you have allowed it access to

So you will need to come up with some safeguards to protect this setup.

Good luck!
 
  


Reply

Tags
php, sme, ssh


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to execute a ssh script on Linux server from Windows through a bat script? wanna13e Programming 13 10-23-2009 02:41 AM
run php script from command line blizunt7 Programming 11 11-06-2008 11:59 AM
I want to run script on the server from client machine in windows in a perl script vpradeep Linux - Newbie 2 09-01-2008 03:29 AM
to run a html or php script with php5 command vincent_fr_60 Linux - Software 1 01-20-2006 06:41 AM
run command on ssh inactivity? lil_drummaboy Linux - Security 5 12-23-2005 11:36 AM


All times are GMT -5. The time now is 07:20 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration