Remote ssh to another server as www-data

KenHorse · 04-15-2022, 07:25 PM

I have a bash script that is called from a PHP generated webpage that needs to call the program "sensors" on another server. The obvious problem I'm facing is how to ssh to the remote server as user www-data in order to do a passwordless command.

I know all about ssh-keygen and ssh-copy-id but as www-data isn't a real user, what are my options?

suramya · 04-15-2022, 07:35 PM

You can create a new user on the remote server with passwordless login, configure it so that you can run 'sensors' and then use that in your script.

KenHorse · 04-15-2022, 07:53 PM

But since the webserver runs as user www-data and that user is a no login user, how does that work?

Turbocapitalist · 04-16-2022, 02:28 AM

It would be done with a specially crafted line in /etc/sudoers and maybe a shell script server side.

Edit: See the presentation "sudo: You're Doing It Wrong" for an in-depth explanation of how sudo works.

Edit 2: I got the direction wrong. You can go from www-data on the web server to another account on another machine just by specifying the remote account.

ondoho · 04-16-2022, 03:28 AM

Quote:

Originally Posted by KenHorse

But since the webserver runs as user www-data and that user is a no login user, how does that work?

That's irrelevant (though I will add that what you are attempting there is potentially dangerous).
You should get generally more aquainted with ssh before doing this sort of stuff.

You can configure the user you login as both on the command line and in ssh's config file.

There's no need to login as www-data.

Suggested reading:

Code:

man ssh_config
man ssh

michaelk · 04-16-2022, 08:04 AM

The client user that connects to the server does not to be the same user on the server itself.

You can create a key for www-data as long as it has the proper permissions for both the files and the directory. Where it is located in the filesystem does not matter.

You can create a special user on the server to run just the sensors command by adding it to the authorized_keys file or limit the user to a ssh chroot jail.

I've never tried using ssh from php.
https://www.php.net/manual/en/function.ssh2-connect.php

KenHorse · 04-16-2022, 03:41 PM

As this is a private network with no internet access, I opted to go with the PHP libssh2 library. Let's me ssh to the other server as root (even if called by www-data) so problem solved.

Thanks for the responses

suramya · 04-17-2022, 08:20 AM

Allowing connections to SSH over root is a bad idea especially when the connection can be initiated from a web server. If your web server get breached they also get root access to your second server.

You are ignoring the possibility of insider threats, so even though the server is not connected to the internet you should secure it.

ondoho · 04-18-2022, 01:03 AM

Quote:

Originally Posted by KenHorse

As this is a private network with no internet access, I opted to go with the PHP libssh2 library. Let's me ssh to the other server as root (even if called by www-data) so problem solved.

Well, I still think that allowing root ssh login is always a bad idea...
Anyhow, I still don't see the need. Please look again at my previous post #5, I added some emphasis. Or post #4.

lleb · 05-02-2022, 11:42 AM

Quote:

Originally Posted by KenHorse

As this is a private network with no internet access, I opted to go with the PHP libssh2 library. Let's me ssh to the other server as root (even if called by www-data) so problem solved.

Thanks for the responses

sensors does not require root level access to run. no reason to give root access to that ssh connection if you are only needing data from sensors