LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (https://www.linuxquestions.org/questions/linux-general-1/)
-   -   Remote ssh to another server as www-data (https://www.linuxquestions.org/questions/linux-general-1/remote-ssh-to-another-server-as-www-data-4175710868/)

KenHorse 04-15-2022 07:25 PM
Remote ssh to another server as www-data
 
I have a bash script that is called from a PHP generated webpage that needs to call the program "sensors" on another server. The obvious problem I'm facing is how to ssh to the remote server as user www-data in order to do a passwordless command.

I know all about ssh-keygen and ssh-copy-id but as www-data isn't a real user, what are my options?

suramya 04-15-2022 07:35 PM
You can create a new user on the remote server with passwordless login, configure it so that you can run 'sensors' and then use that in your script.

KenHorse 04-15-2022 07:53 PM
But since the webserver runs as user www-data and that user is a no login user, how does that work?

Turbocapitalist 04-16-2022 02:28 AM
It would be done with a specially crafted line in /etc/sudoers and maybe a shell script server side.

Edit: See the presentation "sudo: You're Doing It Wrong" for an in-depth explanation of how sudo works.

Edit 2: I got the direction wrong. You can go from www-data on the web server to another account on another machine just by specifying the remote account.

ondoho 04-16-2022 03:28 AM
Quote:
Originally Posted by KenHorse (Post 6346435)
But since the webserver runs as user www-data and that user is a no login user, how does that work?
That's irrelevant (though I will add that what you are attempting there is potentially dangerous).
You should get generally more aquainted with ssh before doing this sort of stuff.

You can configure the user you login as both on the command line and in ssh's config file.

There's no need to login as www-data.

Suggested reading:
Code:
man ssh_config
man ssh

michaelk 04-16-2022 08:04 AM
The client user that connects to the server does not to be the same user on the server itself.

You can create a key for www-data as long as it has the proper permissions for both the files and the directory. Where it is located in the filesystem does not matter.

You can create a special user on the server to run just the sensors command by adding it to the authorized_keys file or limit the user to a ssh chroot jail.

I've never tried using ssh from php.
https://www.php.net/manual/en/function.ssh2-connect.php

KenHorse 04-16-2022 03:41 PM
As this is a private network with no internet access, I opted to go with the PHP libssh2 library. Let's me ssh to the other server as root (even if called by www-data) so problem solved.

Thanks for the responses

suramya 04-17-2022 08:20 AM
Allowing connections to SSH over root is a bad idea especially when the connection can be initiated from a web server. If your web server get breached they also get root access to your second server.

You are ignoring the possibility of insider threats, so even though the server is not connected to the internet you should secure it.

ondoho 04-18-2022 01:03 AM
Quote:
Originally Posted by KenHorse (Post 6346567)
As this is a private network with no internet access, I opted to go with the PHP libssh2 library. Let's me ssh to the other server as root (even if called by www-data) so problem solved.
Well, I still think that allowing root ssh login is always a bad idea...
Anyhow, I still don't see the need. Please look again at my previous post #5, I added some emphasis. Or post #4.

lleb 05-02-2022 11:42 AM
Quote:
Originally Posted by KenHorse (Post 6346567)
As this is a private network with no internet access, I opted to go with the PHP libssh2 library. Let's me ssh to the other server as root (even if called by www-data) so problem solved.

Thanks for the responses
sensors does not require root level access to run. no reason to give root access to that ssh connection if you are only needing data from sensors


All times are GMT -5. The time now is 09:24 PM.