Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a bash script that is called from a PHP generated webpage that needs to call the program "sensors" on another server. The obvious problem I'm facing is how to ssh to the remote server as user www-data in order to do a passwordless command.
I know all about ssh-keygen and ssh-copy-id but as www-data isn't a real user, what are my options?
It would be done with a specially crafted line in /etc/sudoers and maybe a shell script server side.
Edit: See the presentation "sudo: You're Doing It Wrong" for an in-depth explanation of how sudo works.
Edit 2: I got the direction wrong. You can go from www-data on the web server to another account on another machine just by specifying the remote account.
Last edited by Turbocapitalist; 04-16-2022 at 09:13 AM.
But since the webserver runs as user www-data and that user is a no login user, how does that work?
That's irrelevant (though I will add that what you are attempting there is potentially dangerous).
You should get generally more aquainted with ssh before doing this sort of stuff.
You can configure the user you login as both on the command line and in ssh's config file.
The client user that connects to the server does not to be the same user on the server itself.
You can create a key for www-data as long as it has the proper permissions for both the files and the directory. Where it is located in the filesystem does not matter.
You can create a special user on the server to run just the sensors command by adding it to the authorized_keys file or limit the user to a ssh chroot jail.
As this is a private network with no internet access, I opted to go with the PHP libssh2 library. Let's me ssh to the other server as root (even if called by www-data) so problem solved.
Allowing connections to SSH over root is a bad idea especially when the connection can be initiated from a web server. If your web server get breached they also get root access to your second server.
You are ignoring the possibility of insider threats, so even though the server is not connected to the internet you should secure it.
As this is a private network with no internet access, I opted to go with the PHP libssh2 library. Let's me ssh to the other server as root (even if called by www-data) so problem solved.
Well, I still think that allowing root ssh login is always a bad idea...
Anyhow, I still don't see the need. Please look again at my previous post #5, I added some emphasis. Or post #4.
As this is a private network with no internet access, I opted to go with the PHP libssh2 library. Let's me ssh to the other server as root (even if called by www-data) so problem solved.
Thanks for the responses
sensors does not require root level access to run. no reason to give root access to that ssh connection if you are only needing data from sensors
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.