?
Solved

Problems opening SSH connection via script

Posted on 2005-03-28
20
Medium Priority
?
626 Views
Last Modified: 2010-04-11
Hi all;

I'm doing a bit of work for a fulfillment company (they charge, pack and ship orders for direct response clients - like the stuff ppl order from infomercials).  We need to get orders from some of our clients' web sites, where their customers are ordering via an online form) onto our local server here in the office to charge credit cards, process orders, etc...

This needs to be done securely, as there is personal and credit card info involved, but for 3 out of the 4 pages, there is no shell access.  Now, the issues I'm having are as follows:

Issue 1.  On the 1 site that *does* have shell access, I could login from the command line with a password - no prob.  Once I switched to a key-based login, however, it connects, authenticates the key, then disconnectes immediately.  An output example is (ip and login blanked out):

"debug1: Offering public key: /home/xxxxxxxx/.ssh/id_dsa
debug1: Server accepts key: pkalg ssh-dss blen 434 lastkey 0x8966940 hint 2
debug1: read PEM private key done: type DSA
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: channel 0: request pty-req
debug1: channel 0: request shell
debug1: channel 0: open confirm rwindow 0 rmax 32768
Last login: Mon Mar 28 09:57:31 2005 from ns10.worldics.com
debug1: channel 0: rcvd eof
debug1: channel 0: output open -> drain
debug1: channel 0: obuf empty
debug1: channel 0: close_write
debug1: channel 0: output drain -> closed
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: rcvd close
debug1: channel 0: close_read
debug1: channel 0: input open -> closed
debug1: channel 0: almost dead
debug1: channel 0: gc: notify user
debug1: channel 0: gc: user detached
debug1: channel 0: send close
debug1: channel 0: is dead
debug1: channel 0: garbage collecting
debug1: channel_free: channel 0: client-session, nchannels 1
Connection to xxx.xxx.xxx.xxx closed."

Adding more v's doesn't seem to show anything more useful.

Issue 2.  When I try to invoke this same command on the same server, but from a PHP script (using passthru), it does not find the keys or the known hosts file.  I'm fairly sure that's because they are in /home/mylogin/.ssh, whereas when the script is running, it's looking for them in /.ssh (the home directory of the nobody apache user).  The ISP does not seem to have suexec installed in Apache.

Issue 3.  Trying to do this without any shell access.  :-(  I generated the keys on the one with shell and moved them over (insecure, I know, but what else can I do?  I can't run ssh-keygen).  Then I call the SSH command from PHP.  In this case, it *does* find the files using the full home path of the user, but it says:

"debug1: Trying private key: /mmm1906/web/xxxxxxxx/.ssh/id_dsa
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type
debug2: no passphrase given, try next key"

Of course, I can't type in a passphrase.  And they don't seem to have ssh-agent installed.
--------------
I've looked at other solutions than SSH tunneling, but nothing seems to be a very good way to do it.  The only other possibility seems to be to encrypt the data on the web server using a php function, send it plaintext, then decrypt it on the other end and shove it in our database.  This, however, would appear to suck.   Something like stunnel isn't an option, since it seems to involve having the ability to install on both ends.  All the web servers in question are Fedora or BSD, and the local database server is Windows Server 2003 running OpenSSH.  Does anyone have any ideas as to what I can do?
0
Comment
Question by:teleute
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 7
20 Comments
 
LVL 1

Author Comment

by:teleute
ID: 13644926
BTW, sorry I can't offer more points - I left my credit card at home and can't remember the stupid CVV code.  I'll try to increase it later if I can...
0
 
LVL 1

Author Comment

by:teleute
ID: 13647764
K...points upped to maximum.  If ever a question deserved it...;-)
0
 
LVL 13

Expert Comment

by:gpriceee
ID: 13648174
0
Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

 
LVL 1

Author Comment

by:teleute
ID: 13648346
That's pretty intense...I'll hack through it as soon as I can (unless you have any implementation tips?).  Just to let you know, I have seen your response, but it may take me a while to see if it works for me.  Thanks!  :-)
0
 
LVL 1

Author Comment

by:teleute
ID: 13649889
Hmmm...is this just the source?  Is it modified at all?

What are my options with this, do you think?  Modify how it reads the home directory and/or passphrase?  Can I do that without any admin rights?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13651569
> Issue 1:
this output is strange, are you using ssh from f-secure?
can you try again using ssh from openssh with -v for obvious reason :-)

> Issue 2:
first "s" in ssh stands for "secure", PHP has nothing to do with security, I highly recommend to forget about using ssh from within PHP
Said this, it's as you assumed: ssh searches in ~/.ssh and that directory and it's files need to have special permissions for obvious reason (you remember the "s":)
So it will be very hard, I'd say impossible, to user another user's keys as user nobody. You at least need to create keys for user nobody.

> Issue 3:
did not understand what you want to achieve
Do you want to transfer the data given by web-page to yuor server somewhere else? Then I'd use some crypt function in your web-app (php or whatever) and use another GET request from there with the amored encrypted data as query-string
0
 
LVL 1

Author Comment

by:teleute
ID: 13652746
> > Issue 1:
> this output is strange, are you using ssh from f-secure?
> can you try again using ssh from openssh with -v for obvious reason :-)

This is Linux command line ssh with the -v switch.

> > Issue 2:
> first "s" in ssh stands for "secure", PHP has nothing to do with security, I highly recommend to forget about using ssh from
> within PHP.  Said this, it's as you assumed: ssh searches in ~/.ssh and that directory and it's files need to have special
> permissions for obvious reason (you remember the "s":)  So it will be very hard, I'd say impossible, to user another user's > keys as user nobody. You at least need to create keys for user nobody.

Well, I need to get the data automatically from the form to a local server at the time of the transaction.  What other way is there to do it than as part of the script that takes in the data?

Unfortunately, I can't create keys for nobody, since I'm unable to login to that account.  This is shared hosting, so I only have access to the login I've been given, not the apache user.

> > Issue 3:
> did not understand what you want to achieve
> Do you want to transfer the data given by web-page to yuor server somewhere else? Then I'd use some crypt function in
> your web-app (php or whatever) and use another GET request from there with the amored encrypted data as query-string

Yes, that's exactly what I want to achieve.  I thought about a method like this, but all the encrypting and decrypting seemed messier than an SSH tunnel.  Now I'm not so sure.  :-(  Do you have any more details on this method?  Thanks.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13655389
> This is shared hosting,
dooh, shared hosting, probably an pache name-based virtual host, and PHP. And you care about your data security? That's the smallest problem you have in that environment!
And more worse, if you get rid of PHP for your shared host, you're still vulnerable by all your neighbors.

> What other way is there to do it
see http:#13651569 Issue 3


The idea of an ssh tunnel is not bad, but the culprit is your weak security of the web server and the web application (PHP or whatever). Means that any vulnerability there compromises your ssh tunnel too.
If you want to do it with PHP, I'm out of ideas (not my favorite one), but there should be some encrypt and decrypt function, there're so much functions, can't imagine that they are missing ;-)

I'd recommend that you first get a reliable server, either a dedicated one, or at least an ip-based virtual host with it's own process and user for *your* web server.
0
 
LVL 1

Author Comment

by:teleute
ID: 13655452
Unfortunately ditching the shared hosting is not an option.  This data is coming in from our clients and their web sites, and I have no control over their web service.  I've tried to recommend that they at least move to a virtual host, but they refuse.  They have a web guy on hand who tells them that security should be no problem where they're at, so they don't listen to me.  :-(  Of course, this guy built them a site that keeps all of their clients' credit card data in flat, unencrypted files on the server that people ftp around or email or login to over the web (http).  Bleah!

I really wish I could just tell them no, but my boss has not given me that as an option.  *sigh*
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13655538
LOL, the best you can hope for them is that their shared web server becomes a victim to something like the NoSanity worm, you remember last chrismas :-)

Anyway, don't understand your concern. If your web server receives data from another web server -- I assume over HTTP/HTTPS -- then it's your responsibility for that single server. Where is the problem then?
0
 
LVL 1

Author Comment

by:teleute
ID: 13655620
We don't have a web server (since our own site doesn't do much), we have a mySQL server.  That's where I want the data to go for processing.  If I can use SSL to go directly to the mySQL database, that'd be great, but I haven't figured out how to do that yet either.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13655968
as I read your previous comments, I'd not recommend to open your database to these web servers.
If you would do it anyway, give each "user" means web server its own account. This account should only have INSERT priviledges to your table, nothing else. Then I'd also use a special table to be access (with INSERT) by the web servers, then copy data from there to your productive table.
PHP has special functions for mysql access.

Don't knwo your network topology, but using SSL here seems to be overkill there, 'cause it only protects against man-in-the-middle attacks (except this connection is across public internet again).
0
 
LVL 1

Author Comment

by:teleute
ID: 13666813
Okay, so given that I don't have a choice and we *have* to do this...*sigh*

I think the plan of attack here is to:

Make a user account for each client
Restrict access to those users only from those IPs (at least they have dedicated IPs!)
Insert priviledges only (which messes up the guy who wanted customers to be able to check their orders, but too damn bad)
**Still not clear on how the data gets to the mySQL server at this point**
Data (somehow) goes into staging table first, in case anything malicious was inserted
If okay, it goes into main database.

Is that right?  Anything I can do for more security?  And I'm still unclear on the best way for the data to get transferred.  I thought we were talking about encrypting it at the web server and then sending it plain text, but if that's the case then INSERT or other privledges wouldn't come into play, since they wouldn't be going straight to the database.  Or would they?  Are you saying the PHP database functions would encrypt the stuff and the database itself would decrypt directly on our end?

Thanks again.  :-)
0
 
LVL 1

Author Comment

by:teleute
ID: 13666825
BTW, I'm also a bit confused about the comment: "Don't knwo your network topology, but using SSL here seems to be overkill there, 'cause it only protects against man-in-the-middle attacks (except this connection is across public internet again)."  Which connection is this referring to?  The webserver to our office connection?  Or the staging database to real database connection?  In the second one, it's purely local, so yes SSL would be overkill.  But on the first one, protecting against man-in-the-middle is vital and really the entire point.  These are credit card numbers, after all...
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13668975
I still miss a good description of your topology :-(
As I understand it is as follows:
  1. user connects with client (browser) to a web server over Internet and submits numbers
  2. there're multiple such servers
  3. all servers from 2. are physically located at the same (your?) site
     or they are at least all in the same logical subnet, probably a DMZ
  4. you have a staging server at the same location as 3.
  5. you have a database server somewhere else, not reachable directly from Internet

Please confirm.
0
 
LVL 1

Author Comment

by:teleute
ID: 13669292
Nope, not it at all.  :-)

Some words as I will use them - "Clients" are the businesses we ship stuff for.  "Customers" are the people that buy stuff online from our clients.  That being said:

Customers place orders on the clients' web sites (using a web browser).  There are multiple clients (4), who are all having their sites hosted by crappy shared ISP hosting.  One of these 4 is a decent account with SSH access.  The others - no such luck.

These ISPs are located physically at various hosting companies in the US and Canada.

Internally, we only have 1 server (it's a very small company) with separate staging and production tables.  I am looking to get another server set up, but there's no equipment to spare for it really.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13669480
then you have to tell your clients to pass the data using HTTPS to your web server, you than can write your own application there to do with the data what you want

KISS - keep it simple stupid
0
 
LVL 1

Author Comment

by:teleute
ID: 13671548
But again, we don't have a web server.  Only one server, and it's the mySQL one.  I hate to open it up on another port...
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 1500 total points
ID: 13675457
setup an apache with a simple CGI to accept the requests and stores the data in your SQL
that keeps things simple for your clients: they can use standard internet technology
and it keeps your database safe 'cause no connections from internet afre required
and your firewall needs to open port 80/443 only
0
 
LVL 1

Author Comment

by:teleute
ID: 13676127
Well, I guess I'll give it a try.  I was really hoping there was a way to tunnel directly in (to a staging database), since it seems like more steps to do it this way - but, oh well, my time's running out.  :-(   And I'll really push for another server, if humanly possible, since I really don't want to open up 80 on that machine....

Anyway, thanks for your time.  :-)
0

Featured Post

Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
This article is written by John Gates, CISSP. Gates, the SNUG President-Elect, currently holds the position of Manager of Information Systems at Lake Park High School in Roselle, Illinois.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question