Remote ssh to another server as www-data
I have a bash script that is called from a PHP generated webpage that needs to call the program "sensors" on another server. The obvious problem I'm facing is how to ssh to the remote server as user www-data in order to do a passwordless command.
I know all about ssh-keygen and ssh-copy-id but as www-data isn't a real user, what are my options? |
You can create a new user on the remote server with passwordless login, configure it so that you can run 'sensors' and then use that in your script.
|
But since the webserver runs as user www-data and that user is a no login user, how does that work?
|
It would be done with a specially crafted line in /etc/sudoers and maybe a shell script server side.
Edit: See the presentation "sudo: You're Doing It Wrong" for an in-depth explanation of how sudo works. Edit 2: I got the direction wrong. You can go from www-data on the web server to another account on another machine just by specifying the remote account. |
Quote:
You should get generally more aquainted with ssh before doing this sort of stuff. You can configure the user you login as both on the command line and in ssh's config file. There's no need to login as www-data. Suggested reading: Code:
man ssh_config |
The client user that connects to the server does not to be the same user on the server itself.
You can create a key for www-data as long as it has the proper permissions for both the files and the directory. Where it is located in the filesystem does not matter. You can create a special user on the server to run just the sensors command by adding it to the authorized_keys file or limit the user to a ssh chroot jail. I've never tried using ssh from php. https://www.php.net/manual/en/function.ssh2-connect.php |
As this is a private network with no internet access, I opted to go with the PHP libssh2 library. Let's me ssh to the other server as root (even if called by www-data) so problem solved.
Thanks for the responses |
Allowing connections to SSH over root is a bad idea especially when the connection can be initiated from a web server. If your web server get breached they also get root access to your second server.
You are ignoring the possibility of insider threats, so even though the server is not connected to the internet you should secure it. |
Quote:
Anyhow, I still don't see the need. Please look again at my previous post #5, I added some emphasis. Or post #4. |
Quote:
|
All times are GMT -5. The time now is 09:24 PM. |