Problems opening SSH connection via script
Posted on 2005-03-28
I'm doing a bit of work for a fulfillment company (they charge, pack and ship orders for direct response clients - like the stuff ppl order from infomercials). We need to get orders from some of our clients' web sites, where their customers are ordering via an online form) onto our local server here in the office to charge credit cards, process orders, etc...
This needs to be done securely, as there is personal and credit card info involved, but for 3 out of the 4 pages, there is no shell access. Now, the issues I'm having are as follows:
Issue 1. On the 1 site that *does* have shell access, I could login from the command line with a password - no prob. Once I switched to a key-based login, however, it connects, authenticates the key, then disconnectes immediately. An output example is (ip and login blanked out):
"debug1: Offering public key: /home/xxxxxxxx/.ssh/id_dsa
debug1: Server accepts key: pkalg ssh-dss blen 434 lastkey 0x8966940 hint 2
debug1: read PEM private key done: type DSA
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: channel 0: request pty-req
debug1: channel 0: request shell
debug1: channel 0: open confirm rwindow 0 rmax 32768
Last login: Mon Mar 28 09:57:31 2005 from ns10.worldics.com
debug1: channel 0: rcvd eof
debug1: channel 0: output open -> drain
debug1: channel 0: obuf empty
debug1: channel 0: close_write
debug1: channel 0: output drain -> closed
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: rcvd close
debug1: channel 0: close_read
debug1: channel 0: input open -> closed
debug1: channel 0: almost dead
debug1: channel 0: gc: notify user
debug1: channel 0: gc: user detached
debug1: channel 0: send close
debug1: channel 0: is dead
debug1: channel 0: garbage collecting
debug1: channel_free: channel 0: client-session, nchannels 1
Connection to xxx.xxx.xxx.xxx closed."
Adding more v's doesn't seem to show anything more useful.
Issue 2. When I try to invoke this same command on the same server, but from a PHP script (using passthru), it does not find the keys or the known hosts file. I'm fairly sure that's because they are in /home/mylogin/.ssh, whereas when the script is running, it's looking for them in /.ssh (the home directory of the nobody apache user). The ISP does not seem to have suexec installed in Apache.
Issue 3. Trying to do this without any shell access. :-( I generated the keys on the one with shell and moved them over (insecure, I know, but what else can I do? I can't run ssh-keygen). Then I call the SSH command from PHP. In this case, it *does* find the files using the full home path of the user, but it says:
"debug1: Trying private key: /mmm1906/web/xxxxxxxx/.ssh/id_dsa
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type
debug2: no passphrase given, try next key"
Of course, I can't type in a passphrase. And they don't seem to have ssh-agent installed.
I've looked at other solutions than SSH tunneling, but nothing seems to be a very good way to do it. The only other possibility seems to be to encrypt the data on the web server using a php function, send it plaintext, then decrypt it on the other end and shove it in our database. This, however, would appear to suck. Something like stunnel isn't an option, since it seems to involve having the ability to install on both ends. All the web servers in question are Fedora or BSD, and the local database server is Windows Server 2003 running OpenSSH. Does anyone have any ideas as to what I can do?