SSH into another VM via Perl / Sh script failing. Works manually

Question

I want to run a Perl CGI script (a_web_page.cgi) from my dev box .1.20 that runs a bash script from the same folder (host_script.sh).

This script then runs a SSH command to another server 1.10 that runs a script that simply returns a string.

Running the script manually (./host_script.sh) works as long as I make me the owner of the keys. (The keys are stored in the same folder as the scripts, for testing.)

By default the owner of the keys is apache.

The thing is, even with apache owning these keys, it still doesn't work. I've explained below.

These commands are being run from a vm on 192.168.1.20.(dev box) I got onto this VM via ssh from my local box on 192.168.1.50

• 192.168.1.10 Target machine with script1.sh. This script returns a string.
• 192.168.1.20 Server that runs apache web server and has a_web_page.cgi and host_script.sh. (I am running these commands on this box.)
• 192.168.1.50 My local machine, shouldn't really factor in, but put it here just in case it helps.

From 192.168.1.20:

ls -a -l

-rwxrwxrwx. 1 me apache  622 Apr 12 09:19 a_web_page.cgi
-rwxrwxrwx. 1 me apache  111 Apr 11 15:14 host_script.sh
-rwx------. 1 apache apache 1675 Apr 11 15:11 test
-rwx------. 1 apache apache  392 Apr 11 15:11 test.pub

vim host_script.sh

#!/bin/bash
ssh -i /var/www/html/dev/remote_script/test [email protected] "/home/user/scripts/script1.sh"

a_web_page.cgi

#!/usr/bin/perl

use strict;
use warnings;

print "Content-type: text/html\n\n";

my $executeString = './host_script.sh';
my $output = `$executeString`;
print "<br />$executeString<br />: $output<br />";

Output (http://192.168.1.20/dev/remote_script/a_web_page.cgi):

./host_script.sh
: 

sudo tail -f /var/log/httpd/error_log

[Tue Apr 12 10:05:22 2016] [error] [client 192.168.1.50] ssh: connect to host 192.168.1.10 port 22: Permission denied\r

(I am confused why the client IP is my local box and not the dev box)

ifconfig

 inet addr:192.168.1.20

(If I run ifconfig on my local box by exiting my SSH session, I will get 192.168.1.50.)

At this stage I can see that the SSH to 192.168.1.10 is failing, so let's give me permissions to run the host_script.sh directly and run it.

sudo chown me test

This works.

./host_script.sh

This is a script on the 192.168.1.10 server!

(This string is returned from script1.sh on 1.10, it's just an echo statement)

So running the script as myself works fine, as long as I have permissions to read the keys.

-rwx------. 1 me apache 1675 Apr 11 15:11 test
-rwx------. 1 me apache  392 Apr 11 15:11 test.pub

Answer 1

When your are manually running the ssh command, I assume you have configured password-less ssh and ~user/.ssh has the necessary keys. When running this via web page, the ssh is executed as user apache (or user httpd) and ~apache/.ssh is used for the keys. That user does not have password-less ssh so "Permission Denied".

You are viewing the web-page from 192.168.1.50, hence that is shown in error.log and the error is that ssh (running on 192.168.1.20) could not connect to 192.168.1.10, which is correct.

Various ways to fix this :
- Give sudo access to apache, such that apache can execute the ssh as your own user : something like "sudo -u me -c 'ssh 192.168.1.10 'script1.sh'", where apache will use sudo to switch to you and execute ssh.
- Make apache have a home Directory on both hosts and configure password-less ssh for apache user, and execute everything as apache.

If you are worried about security issues, you should look for alternate solutions like web services.