i'm attempting to test an SFTP connection thru my web app running on laravel 5.7 framework using phpseclib . This is the authentication code, using only password authentication. The SFTP server is also using IP whitelisting as additional security.
$sftp = new SFTP(env('SFTP_HOST'));
if (!$sftp->login(env('SFTP_USER'), env('SFTP_PASSWORD'))) {
echo $sftp->getLog();
}
The -vvv logs almost make me wonder if the server is using multi factor authentication. Like you have to provide both an RSA key and a password. If so you should be able to achieve that thusly:
$key = new RSA;
$key->loadKey(file_get_contents('/home/forge/.ssh/id_rsa'));
$sftp = new SFTP(env('SFTP_HOST'));
if (!$sftp->login(env('SFTP_USER'), $key, env('SFTP_PASSWORD'))) {
echo $sftp->getLog();
}
The -vvv logs also indicate that it's skipping straight to keyboard-interactive auth - that it's not even trying password auth. You can force phpseclib to do keyboard-interactive by doing $sftp->login(env('SFTP_USER'), ['Password:' => env('SFTP_PASSWORD')]) instead of what you are doing.
Maybe some combination of these two tips will help you out.
Related
I am trying to connect to mysql DB on AWS with PHP client.
The connection has 2 phases:
1 - connect to SSH port 22 using public/private key auth
2 - connect to mysql server on port 3306
I am having problem with the first phase. I have pem file and I have the following code:
<?php
include('SSH2.php');
include('RSA.php');
$key = new Crypt_RSA();
$key->loadKey(file_get_contents('path to pem file'));
$ssh = new Net_SSH2('server IP');
if (!$ssh->login('root', $key)) {
exit('Login Failed');
}
echo $ssh->exec('ls -la');
?>
what am I doing wrong?
Anyone has an example for end2end connection??
I tested your script and it seems to work properly for me.
Kindly verify a few things to see why the ssh connection is not working,
Check that you are using the correct ssh private key [pem file] and that the permission on that file is readonly [ chown 0400 pemfile]
Check that the security group for the ec2 server allows port 22 to the IP address that the PHP is running on.
Check that you are using the correct Server IP, username. Generally speaking most of the EC2 server AMI are built with remote root login disabled, you will need to use the right username like on Amazon AMI you need to use ec2-user and on ubuntu amiit is ubuntu
Also please check on https://blog.rjmetrics.com/2009/01/06/php-mysql-and-ssh-tunneling-port-forwarding/ which gives in depth on what you are achieving
I have an ssh access to a LDAP server.
After accessing through ssh I can access to phpldapadmin. I have an admin DN and a password.
What needs to be done is I have to authenticate users using ldap whenever they try to login to a website.
Website is using jaggery for the server side code. But php is okay too.
I haven't worked with ldap and ssh. So if somebody can help on this I'll really appreciate it.
You have to download the adLDAP.php here:
http://adldap.sourceforge.net/download.php
Then the autentication is quiet simple:
$adldap = new adLDAP(array('base_dn'=>'DC=domainexample,DC=suffixexample', 'account_suffix'=>'#domainexample.suffix'));
$authUser = $adldap->authenticate('user', 'password');
if ($authUser == true) {
echo "User authenticated successfully<br>";
}
else {
echo "User authentication unsuccessful<br>";
}
You have only to be careful with the DC attribution: it depends on the LDAP network.
PHP has an extension to work with LDAP. You don't need to install third-party libraries.
Work with ldap and session is what you need.
http://us2.php.net/manual/pt_BR/book.ldap.php
I am tried to implement a LDAP authentication in my web application developed in ZF2. LDAP authentication is working fine in Windows 7.
But, after moving the application to LINUX machine, LDAP authentication is not working. I am always getting the error as : Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in LdapConnect.php on line 20
I have used the scripts as:
$ldaphost = "ldap://xxxx.net";
$ldapport = 389;
$ds = ldap_connect($ldaphost, $ldapport) or die("Could not connect to $ldaphost");
if ($ds)
{
$username = "username#xxxx.net";
$upasswd = "password";
$ldapbind = ldap_bind($ds, $username, $upasswd);
if ($ldapbind)
{
print "Congratulations! you are authenticated successfully.";
}else{
print "Better luck next time!";
}
}
Should I install any software package or should I do any config settings?
Note: If I give the IP adress then it is working fine, but if I give the domain name, then it is not working.
The library may be different between the 2, or a different version. You'd be amazed how many variations of the ldap client there are. In your position I would (if available) use ldap client to make the same kind of connection a few different ways.
e.g. the "-x" on the standard ldapsearch:
-x Use simple authentication instead of SASL.
So you could express the connection like this:
ldapsearch -h xxxx.net -p 389 (etc)
ldapsearch -x -h ldap://xxxx.net:389 (this should actually be -H..)
and so on.
It is also possible for things outside of your code to be an issue. Prod servers often have firewalls and proxies (e.g. F5) that are transparent to the server/client.
Make sure your final code has exception handling for binding and searching. I'm not too familiar with the php implementation, and the doco is a tad thin. Normally you'd use a synchronous bind.
Can you verify that the code above is exactly as you had it on Windows? The reason I ask is that looking here: http://php.net/manual/en/function.ldap-connect.php it seems that you may be mixing 2 types of bind. I definitely wouldn't have done it like that in standard python.
So if using a URI normally you'd do it like this:
ldap_connect("ldap://blah:389")
and if you're connecting via host/port combo:
ldap_connect("blah","389")
With minimal exception info my best guess is that its actually trying to bind to a hostname "ldap://xxxx.net" on port "389".
In our web based application we support LDAP authentication. It works fine with the code below. Now we want to support LDAP over TLS. We host our product for our customers on SUSE Linux Enterprise Server 11 and each customer can have different TLS certificate.
My questions are:
how to set up out SUSE server (that is LDAP client) - where to place certificates for each customer, do I need to edit any conf file?
how to make LDAP authentication over TLS with different certificates from php. What would be exact php syntax?
does it matter what type of the server is? Exchange, OpenLDAP etc?
right now we have .cer certificate from Exchange. Is that ok for OpenLDAP or it must be converted (how) to .pem?
SUSE server = LDAP client configuration
SUSE Linux Enterprise Server 11 (x86_64)
ldapsearch: #(#) $OpenLDAP: ldapsearch 2.4.26 (Sep 26 2012 13:14:42)
PHP Version 5.4.9
Zend Engine v2.4.0
From reading http://php.net/ldap_connect I understood that I can use different certificates but I didn't get how.
function authenticateZendAuth($username, $password){
require_once 'Zend/Auth.php';
$auth = Zend_Auth::getInstance();
$ldapOptions = getConfigVariableValue('->ldap');
$options = $ldapOptions->toArray();
unset($options['log_path']);
require_once 'Zend/Auth/Adapter/Ldap.php';
$adapter = new Zend_Auth_Adapter_Ldap($options, $username, $password);
$authenticated = $auth->authenticate($adapter);
$log_path = $ldapOptions->log_path;
if ($log_path) {
$messages = $authenticated->getMessages();
require_once("Zend/Log.php");
require_once("Zend/Log/Writer/Stream.php");
require_once("Zend/Log/Filter/Priority.php");
$logger = new Zend_Log();
$logger->addWriter(new Zend_Log_Writer_Stream($log_path));
$filter = new Zend_Log_Filter_Priority(Zend_Log::DEBUG);
$logger->addFilter($filter);
foreach ($messages as $i => $message) {
if ($i-- > 1) { // $messages[2] and up are log messages
$message = str_replace("\n", "\n ", $message);
$logger->log("Ldap: $i: $message", Zend_Log::DEBUG);
}
}
}
return $authenticated;
}
How to set up our SUSE server (that is LDAP client) - where to place certificates for each customer, do I need to edit any conf file?
If you are using openssl (slapd) it doesn't really matter where you put the certificate, as long as you can set the configuration file to point to. It will look something like this perhaps:
TLSCACertificateFile /usr/var/openldap-data/cacert.pem
TLSCertificateFile /usr/var/openldap-data/servercrt.pem
TLSCertificateKeyFile /usr/var/openldap-data/serverkey.pem
You will need to request (or create your own) Certificates, these are the same as the certificates you use for HTTPS. This is where the domain name is imported, when you create/request the cert, it needs to match the domain name that you are going to be using it on. See: http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html for more details.
How to make LDAP authentication over TLS with different certificates from php. What would be exact php syntax?
You really don't need to do anything special here. Make sure you set your LDAP server up with the appropriate domain named certificate. And make sure that the signing authority for that cert is recognized by your local openladap client (running your php) via it's config file. Then notice that many of the Zend Examples (http://files.zend.com/help/Zend-Framework/zend.auth.adapter.ldap.html) use a config file to set up the Zend LDPA client and turn on TLS. You can also use Zend_Ldap::setOptions() - see the notes on http://framework.zend.com/manual/1.12/en/zend.auth.adapter.ldap.html
Does it matter what type of the server is? Exchange, OpenLDAP etc?
No, not really. I mean, configuring the LDAP server will matter, but the php client won't really care at all.
Right now we have .cer certificate from Exchange. Is that ok for OpenLDAP or it must be converted (how) to .pem?
See: http://www.sslshopper.com/article-most-common-openssl-commands.html
openssl x509 -inform der -in certificate.cer -out certificate.pem
I'm looking for a way to authenticate users through LDAP with PHP (with Active Directory being the provider). Ideally, it should be able to run on IIS 7 (adLDAP does it on Apache). Anyone had done anything similar, with success?
Edit: I'd prefer a library/class with code that's ready to go... It'd be silly to invent the wheel when someone has already done so.
Importing a whole library seems inefficient when all you need is essentially two lines of code...
$ldap = ldap_connect("ldap.example.com");
if ($bind = ldap_bind($ldap, $_POST['username'], $_POST['password'])) {
// log them in!
} else {
// error message
}
You would think that simply authenticating a user in Active Directory would be a pretty simple process using LDAP in PHP without the need for a library. But there are a lot of things that can complicate it pretty fast:
You must validate input. An empty username/password would pass otherwise.
You should ensure the username/password is properly encoded when binding.
You should be encrypting the connection using TLS.
Using separate LDAP servers for redundancy in case one is down.
Getting an informative error message if authentication fails.
It's actually easier in most cases to use a LDAP library supporting the above. I ultimately ended up rolling my own library which handles all the above points: LdapTools (Well, not just for authentication, it can do much more). It can be used like the following:
use LdapTools\Configuration;
use LdapTools\DomainConfiguration;
use LdapTools\LdapManager;
$domain = (new DomainConfiguration('example.com'))
->setUsername('username') # A separate AD service account used by your app
->setPassword('password')
->setServers(['dc1', 'dc2', 'dc3'])
->setUseTls(true);
$config = new Configuration($domain);
$ldap = new LdapManager($config);
if (!$ldap->authenticate($username, $password, $message)) {
echo "Error: $message";
} else {
// Do something...
}
The authenticate call above will:
Validate that neither the username or password is empty.
Ensure the username/password is properly encoded (UTF-8 by default)
Try an alternate LDAP server in case one is down.
Encrypt the authentication request using TLS.
Provide additional information if it failed (ie. locked/disabled account, etc)
There are other libraries to do this too (Such as Adldap2). However, I felt compelled enough to provide some additional information as the most up-voted answer is actually a security risk to rely on with no input validation done and not using TLS.
I do this simply by passing the user credentials to ldap_bind().
http://php.net/manual/en/function.ldap-bind.php
If the account can bind to LDAP, it's valid; if it can't, it's not. If all you're doing is authentication (not account management), I don't see the need for a library.
I like the Zend_Ldap Class, you can use only this class in your project, without the Zend Framework.
PHP has libraries: http://ca.php.net/ldap
PEAR also has a number of packages: http://pear.php.net/search.php?q=ldap&in=packages&x=0&y=0
I haven't used either, but I was going to at one point and they seemed like they should work.
For those looking for a complete example check out http://www.exchangecore.com/blog/how-use-ldap-active-directory-authentication-php/.
I have tested this connecting to both Windows Server 2003 and Windows Server 2008 R2 domain controllers from a Windows Server 2003 Web Server (IIS6) and from a windows server 2012 enterprise running IIS 8.