SSH-key for apache user?

GaijinPunch · 06-14-2005, 01:07 AM

Okay, this may seem rather ghetto, but I need the apache user to be able to ssh to another machine to peak around. You can't just su to this user and make the keys, so I'm kind of screwed. I've tried configuring my remote machines to allow rhosts authentication...which doesn't seem to work in this case, most likely b/c apache isnt' a real user.

Any clues?

GaijinPunch · 06-14-2005, 04:19 PM

NOBODY knows anything about this?

afrorobot · 02-04-2009, 01:48 PM

I know this thread is old... but...

I figured out a workaround for this (for all you kids googling this issue out there) but I doubt it is secure, but I am running it for testing scripts from PHP in a virtual environment so that doesn't matter to me.

Since the APACHE user's home is "/var/www" and ssh-keygen requires access to /var/www/.ssh but cannot create it because there is no shell you can do the following.

Code:

mkdir /var/www/.ssh
chown -R apache:nobody /var/www/.ssh
sudo -u apache ssh-keygen -t rsa

For ssh-keygen just press enter if you want to test otherwise fill in some values to secure your stuff!

Code:

sudo -u apache ssh-copy-id -i /var/www/.ssh/whatever.pub root@host

And you are done!

WarrenTR · 10-16-2009, 02:28 PM

afrorobot,
Thanks for this solution. It seems to work just fine, but when I try to use rsync to another machine, I get these errors:

rsync: connection unexpectedly closed (0 bytes received so far) [sender]
rsync error: error in rsync protocol data stream (code 12) at io.c(600) [sender=3.0.5]

Comfortably Paranoid · 02-02-2011, 04:48 AM

If you want to use this with keychain, then there is a bit more work to do. Use keychain since the apache user cannot enter a password.

Code:

mkdir /var/www/.keychain
chown apache:nobody /var/www/.keychain
chmod 700 /var/www/.keychain

(note chmod 600 does not work!)

You need to add a known_hosts file to /var/www/.ssh/, I copied one from my user account on the same machine and changed the ownership. In general, make sure you are following the ownership/permissions that are required by ssh.

Call keychain before making your scp/rsync command. The following is all one line, called by the PHP shell function:

Code:

/usr/bin/keychain --dir /var/www/.keychain /var/www/.ssh/id_rsa ; 
source /var/www/.keychain/LOCALHOSTNAME-sh ; 
scp YOURFILE USERNAME@REMOTEHOST:~/

I hard coded the local hostname rather than trying to figure out if the env variables were set up properly.

I found the following page Debugging SSH public key authentication problems useful. I used scp -vvv -B during debugging.

Note that I'm on Fedora, and I have no idea about the security of doing things like this.