Not able to run remote scipt from perl CGI script

By Posted on

Not able to run remote scipt from perl CGI script – Problems with loading a website are often blamed on the Internet connection, but even the most perfectly set up network cannot help if there is no service to reply at your destination. One of the most popular HTTP servers used for this task is Apache2. Much of Apache’s popularity can be attributed to its easy installation and use, but never the less it is possible to run into problems with even the easiest of the software. If you’ve encountered an issue loading your web page, follow these simple troubleshooting methods outlined in this guide to attempt to get your web server back up and working again. Below are some tips in manage your apache2 server when you find problem about apache-2.2, perl, , , .

I have created a program using perl CGI where i am calling my server script which is at remote location. For that i have used OpenSSH. But when i run this script from my terminal it works fine my remote machine script also runs properly. But when i do this from Browser it doesn’t works.
I have used below script.

#!/usr/bin/perl
use warnings;
use strict;
use CGI;
use Net::OpenSSH;
use warnings;
our $cgi = new CGI;

use Net::OpenSSH;
my %opts = (
    user        => "UNAME",
    #password    => "MYPASSWORD", 
    strict_mode => 0,         
);
my $ssh = Net::OpenSSH->new("MY SERVER_IP",%opts,master_opts => [-i => "MY KEY FILE"], async => 1);
$ssh->system("/root/test.sh") or    
    die "remote command failed: " . $ssh->error;

Below are the logs from apache error logs

[Fri Jun 27 12:11:57 2014] [error] [client localhost] Permission
denied (publickey,gssapi-keyex,gssapi-with-mic).r, referer:
http://X.X.X.X/cgi-bin1/test.cgi

CGI-scripts are usually run as the same user as the web server is run under – often the username wwwdata, or www. Since your key file is restricted your own username, huzefa, the webserver cannot access it.

If you were to allow the webserver user to use your own ssh key, then it would be possible for someone who found a security hole in your webserver to use your key and then login to any server that you have access to with that key. You probably don’t want this.

There are a few ways to get around this without opening a huge security hole. The easiest is to simply set up a separate ssh key for this particular use:

  1. Generate a new ssh key and place it in a directory that the web server user can access
  2. Copy the public part of the key to the authorized_keys file on the server.
  3. Edit the authorized_keys file so that the public key used by the web server can only be used to run that one script. For extra security, limit it to only allow connections from the IP address of your server. It should look something like this:
from="10.1.2.3",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command="/root/test.sh" ssh-dss AA.....

Web server process is owned by apache user not as root.

  1. Make sure that apache user have password less access to other server

  2. SELinux should be disabled

Refer : http://wccandlinux.blogspot.in/2016/07/how-to-run-ssh-command-from-apache.html

Related posts:

Leave a Reply

Your email address will not be published. Required fields are marked *