I've been requested from a customer to create a script that encrypts files with a password, and I wrote a script using OpenSSL
as follow:
$this->salt = openssl_random_pseudo_bytes(10);
$this->cryptoKey = openssl_pbkdf2($key, $this->salt, $this->cryptoKeyLength, $this->iterations,
$this->algorithm);
$this->iv = openssl_random_pseudo_bytes(openssl_cipher_iv_length($this->cipher));
The issue is, the customer doesn't have openssl and the hosting does not provide an user with enough rights to install php-openssl using yum i get I don't have enough privileges.
The website has https tho.
Is there another lib to use?
is there a way to use openssl as a class and include is as .php?
is there another function like this possibly native?
is there a weaker way to do the same possibly natively?
thanks
Would it be possible to install php on another machine and pass the request as a proxy and return the output, would it be a smart way out?
Related
Recently someone inadvertently changed the keyfile used for my ssh/sftp to a remote server. I deduced this when I tried to ssh to the server from the command line and I got challenged with a password request, which indicated that the key was no longer recognised.
How would I make my php program detect an unexpected password challenge? Currently I have this:
$sftp = new SFTP(self::DOMAIN_NAME);
$Key = new RSA();
$private_rsa_key = file_get_contents('/home/ddfs/.ssh/' . self::KEY_FILE);
$Key->loadKey($private_rsa_key);
$rc = $sftp->login(self::USER, $Key);
$errors = $sftp->getSFTPErrors();
At the moment I see $rc is set to FALSE and $errors is an empty array.
SSH initiated password change requests
SSH has a mechanism built into it for password resets. My reading of RFC4252 ยง 8 implies that SSH_MSG_USERAUTH_PASSWD_CHANGEREQ packets should only be sent in response to a "password" SSH_MSG_USERAUTH_REQUEST but who knows how the OpenSSH devs interpreted that section of the RFC.
Since you're doing public key authentication phpseclib would be sending a "publickey" SSH_MSG_USERAUTH_REQUEST so it seems like SSH_MSG_USERAUTH_PASSWD_CHANGEREQ wouldn't be a valid response, but again, who knows.
If the server did respond with a SSH_MSG_USERAUTH_PASSWD_CHANGEREQ packet than you could do $sftp->getErrors() (instead of getSFTPErrors) and look for one that starts with SSH_MSG_USERAUTH_PASSWD_CHANGEREQ:. Maybe even do $sftp->getLastError().
getSFTPErrors returns errors with the SFTP layer - not the SSH2 layer. SFTP as a protocol doesn't know about authentication - that's handled entirely by the SSH layer. ie. it's not SFTP errors you'd want to look at but SSH errors.
Reference code: https://github.com/phpseclib/phpseclib/blob/1.0.7/phpseclib/Net/SSH2.php#L2219
Other possible password request mechanisms
It's possible that password request isn't coming from SSH's built-in authentication mechanism. It's possible you're getting a SSH_MSG_USERAUTH_SUCCESS response from the "publickey" SSH_MSG_USERAUTH_REQUEST.
At this point I can see two possibilities:
It could be a banner message that you're seeing. You can get those by doing $sftp->getBannerMessage().
It's possible you're only seeing this error when you SSH into the server as opposed to SFTP'ing into it. ie. it's possible you wouldn't see the error unless you did $ssh->exec() or $ssh->write(). At this point the "error" could be communicated to you via stderr or stdout.
To know for sure I'd have to see the SSH logs. The phpseclib logs may or may not be sufficient. I mean you could do $sftp->exec('pwd'); or $sftp->read('[prompt]'); but my guess is that you're not already doing that. If you wanted to go that route you could do define('NET_SSH2_LOGGING', 2); and then echo $sftp->getLog() after you do either $sftp->exec() or $sftp->read().
The PuTTY logs might be more useful. To get them you can go to PuTTY->Session->Logging, check the "SSH packets" radio button and then connect as usual.
Unfortunately, OpenSSH does not, to the best of my knowledge, log the raw / decrypted SSH2 packets so OpenSSH isn't going to be too useful here.
I think that probably I'm missing something, but I don't see it right now. I want create a simple form where users can encrypt automatically messages between them (form message to user2 -> encrypt(message) -> user2 receive it and decrypt). I'm using nginx, I installed gnupg following their instructions and add it to my php.ini (now it shows that GnuPG is enabled with GPGME Version 1.4.3 and Extension Version 1.3.6) I want use a specific keyring located at /usr/share/nginx/.gnupg I tried the following code:
$iterator = new gnupg_keylistiterator("developer");
foreach($iterator as $fingerprint => $userid) {
echo $fingerprint." -> " . $userid . "\n";
}
var_dump($iterator);
And I just obtain the following response from var_dump:
object(gnupg_keylistiterator)#1 (0) { }
Maybe my question is an idiot question, but I never used gnupg in php and I want learning, but I'm stunk since yesterday and I don't understand why it doesn't work...
Thanks for your time
The most common issue is that you imported the keys to another keyring than later is searched for keys. GnuPG uses a per-(system)-user "GnuPG home directory", each containing individual keyrings. If you import a key as the administrator or a developer you import the key to your own keyring, while usually the web server running the PHP application is executed in another user context and will not find this key, resulting in an empty result when listing the keys from within PHP.
You can set this by setting up an environment variable before initializing the GnuPG binding.
putenv("GNUPGHOME=/tmp"); // Set GnuPG home directory to the temp folder
$res = gnupg_init(); // Initialize GnuPG
Obviously /tmp does not actually qualify as a reasonable directory, choose something where your application stores application data anyway. It should not be a directory accessible through HTTP.
As an alternative, gnupg_import($res, $pubkey) the key before using it (but this will result in some performance penalty for importing the key).
i am completely stuck with a pgp problem, but I guess it's more a logical than a technical problem - anyway, i don't get it.
The goal is to encrypt a file with gpg4win (www.gpg4win.de/index.html) and decrypt it with PHP (gnupg).
First thing I did, I've created a certificate with gpg4win, set a passphrase and encrypted a simple text file (ASCII). Then I upload the file and tried to decrypt it with the following code:
$content = file_get_contents("some-test-data.asc");
$gpg = new gnupg();
$gpg -> adddecryptkey("MYFINGERPRINT","my.pass.phrase");
$plain = $gpg -> decrypt($content);
var_dump($plain);
The result was:
bool(false)
What I am doing wrong? I've tried different code and suggestions, but always ended up with bool(false).
Are these methods not compatible, do I have to a different application?
I appreciate every little help I could get. Thanks alot!
P.S. PHP is compiled with gnupg
GPGme Version 1.4.2
Extension Version 1.3.3-dev
Problem solved. If anybody run into the same trouble, it's due to lag in the PHP Documentation:
string gnupg_decrypt ( resource $identifier , string $text )
If found the following comment in the comment section:
As of gnupg version 2, it is not possible to pass a plain password any more. The parameter is simply ignored. Instead, a pinentry application will be launched in case of php running in cli mode. In cgi or apache mode, opening the key will fail.
The simplest solution is to use keys without passwords.
So i've created a new key without password and everything works fine.
This is my first time using Capistrano and I am getting server authentication errors right at the start of my deploy:setup stage. I am a PHP user using rvm on a mac.
I noticed my deploy.rb file does not contain the password to my server. It only contains the password to my private git repo. Is there an attribute available for setting the server password so my connection could authenticate?
Do deploy.rb files list server credentials?
I'd like to refer you to a related discussion. Point in case: It's better to setup publickey authentication for your servers, it saves you from having your credentials stored in plain text and it is safer to begin with.
If you use github for your git hosting, you can use your publickey there as well. Be sure to use ssh_options[:forward_agent] = true to forward your publickey to the server when deploying.
If you really want to set your user and password, I believe you can do it as follows:
set :user, "sshuser"
set :password, "sshpassword"
set :scm_passphrase, "gitpassword"
More info can be found at github help/capistrano
The previous answer covers good info about deploy and i agree it is better to setup public keys.
But if you have password issues, try to add this line:
default_run_options[:pty] = true
to your deploy.rb file, so you allow Capistrano to prompt for passwords.
#Amit Erandole (in reply to [ip_address_omitted] (Net::SSH::AuthenticationFailed: root), app_name_ommitted (Errno::ETIMEDOUT: Operation timed out - connect(2)):
Looks like root access over ssh is not allowed on the server (and generally not recommended). Try it again with a valid user or turn root access on in sshd_config (PermitRootLogin yes).
But as was already mentioned by HectorMalot, create an ssh-key and forget about the passwords. ;)
I will have an app where I will prompt users for a URL (with proper regex url validation) and return the page with cURL and run some checks on it.
What would be the most secure way of returning a remote webpage securely with cURL? As I understand even cURL has some vulnerabilities, like 'safe mode' Security Bypass (http://www.securityfocus.com/bid/27413).
SecurityFocus claims this has been fixed in PHP 5.2.6 . If you can't upgrade to that, you need to manually check for that attack vector. Perhaps check in your user input if the url definitely has "http" in front of it, with if (substr($url, 0, 7) == 'http://'))
Furthermore, according to the comments on this php bug report curl gives you the option to disable specific protocls, including local file access, but only when you configure and compile from source. According to the cURL install manual it must be something like this (untested):
./configure --disable-file