I've setup proftpd with a tutorial in an Ubuntu Server machine with MySQL user access. Now I've created some users (user01, user02, user03) and created a cyphered password with this command:
/bin/echo "{md5}"`/bin/echo -n "mypassword" | openssl dgst -binary -md5 | openssl enc -base64`
{md5}NIGde+6ruSYKXIVLyFs+RA==
I'm not ashamed to say I did not understand anything of this command, but I would like to, and make the same command line work in a PHP code.
I know there is an OpenSSL library in PHP, but I don't really know how to get the same result.
I've found it out my self (and I feel proud about)
`//php
$dgst = openssl_digest('mypassword', 'md5', TRUE);
echo "{md5}" . base64_encode($dgst); `
This will give as result '{md5}NIGde+6ruSYKXIVLyFs+RA=='
echo base64_encode(md5('mypassword', true));
No need to even use the openssl extension.
Related
I'm having some weird behaviour with the openssl_decrypt method in PHP. It's failing, giving me an error: Unknown cipher algorithm, but only sometimes (about 6:10 times) i.e. If I run the command enough times, it will eventually work... My code is:
$result = openssl_decrypt(base64_decode($hash), 'AES-128-CBC', $timestamp);
running openssl list-cipher-commands lists AES-128-CBC as one of the available cipher methods. The specs don't really list anything on the subject - only specifying that unknown cipher algorithm is a possible exception from running the command.
edit:
Using the command line: i.e. running echo "soemthing" | openssl enc -aes-128-cbc on a random machine and then decrypting on the machine that fails with the above echo "..." | openssl enc -aes-128-cbc -d works consistently.
I'm having as issue with running a script using shell_exec in PHP.
When I log onto the server and run the script I get the correct output but when running it through the webpage it doesn't seem to be completing the commands.
The script is to use openssl to create .pem, .pfx and .p12 files from .crt and .key files.
Bash Script is below:
#!/bin/bash
#Script to create all the SSL certs needed from the .key and .crt files
set -o errexit
echo "Starting script....<br><br>"
echo "openssl pkcs12 -export -in $1.crt -inkey $1.key -out $1.p12 -passout pass:$2"
openssl pkcs12 -export -in $1.crt -inkey $1.key -out $1.p12 -passout pass:$2
echo "P12 Complete.<br><br>"
openssl pkcs12 -in $1.p12 -nodes -out $1.pem -passin pass:$2 -passout pass:$2
echo "PEM Complete.<br><br>"
openssl pkcs12 -inkey $1.pem -in $1.crt -export -out $1.pfx -passout pass:$2
echo "PFX complete.<br><br>"
mkdir $1_certs
mv $1.key $1_certs/$1.key
mv $1.crt $1_certs/$1.crt
mv $1.pem $1_certs/$1.pem
mv $1.p12 $1_certs/$1.p12
mv $1.pfx $1_certs/$1.pfx
echo "Password: " $2 >> $1_certs/password.txt
echo "ZIPing files.<br><br>"
zip $1_certs.zip $1_certs
echo "COMPLETE<br><br>"
PHP is below:
<?php
if (isset($_GET['cert_name'])) {
$cert_name = $_GET['cert_name'];
$password = $_GET['password'];
echo "/home/<username>/ssl $cert_name $password <br><br>";
$message=shell_exec("/home/<username>/ssl $cert_name $password");
echo $message;
}
?>
The abundance of echo's in both was to aid in troubleshooting.
The webpage is a basic table with 2 inputs and a submit button.
When I Run this in the webpage it gets to the openssl command to create the .p12 and fails.
If I remove the set -o errexit so that it runs completely through regardless of errors I can see that it doesnt even try to create the directory or move the files, I just see all the echo's. Its as if it just runs the echos and ignores the commands.
I have an echo in before the command to create the p12 file and it shows that it is getting all the correct details.
I'm at a loss of where to go from here. Any help would be appreciated.
From the manual on shell_exec
Return Values
The output from the executed command or NULL if an error occurred or the command produces no output.
Note:
This function can return NULL both when an error occurs or the program produces no output. It is not possible to detect execution failures using this function. exec() should be used when access to the program exit code is required.
In debugging, echo, and print/print_r variations aren't very helpful, because they type cast null to a string. Instead you could use var_dump, which guarantees output for every input even if it is null.
As far as why it's failing there is a way to get back any information from STDERR by redirecting STDERR to STDOUT.
$message = shell_exec("/home/<username>/ssl $cert_name $password 2>&1");
It's also important to note that you should escape any arguments passed to the shell via escapeshellarg
If I had to guess at why it's failing my best guess would be that whatever user PHP is running under (if you're doing this via your web server, for example, and using Apache httpd with mod_php, it probably doesn't have the necessary permissions to execute /home/<username>/ssl. You should be able to determine that for sure by checking permissions on the file and confirming with STDERR information back from the shell.
I'm generating a SHA1 hash via OpenSSL via the commandline with the following command:
echo -n "test" | openssl dgst -sha1 -sign private.pem | openssl enc -base64
The output is:
mTuk4MicnS1Xn9BB4wed6pWe62CGDgj6imaOp9f3spiRo/W88WNac7sMkAYl37ruh82mbREbEzsFwCCdhO3MpGh/tyhb+2vx59tta1GTp5Nhb8PlnFL20Zh8QUrv6WrgvsI8z4IPG4KXCJw++7hBQHcnxa8dT5EMn1OW72MumG8=
when I execute the same command via PHP with exec() I get a different output:
YDGDpc0nC1uaFBO28uepQ/8hMhqoUhXIhqb0UTVCHA2oqWI7PeYyHBB1tmvQ8iqo/ZJzvkNxAruy6T67rdpz/4hyKh6hRxGvYNStteqv/Cn04yiSlgidiHnN2x5aoI6GdE/c0haiE/WmJlFTOcQdPztsQWOk2QUzWdwDmO0OjqE=
WHY?
both scripts run via the same user, As the PHP Script is run as "nobody" I have logged in via the shell as nobody and executed it... no dfference
Using the full path fixed the problem!
I have to encrypt files that will be decrypted on demand with PHP :
$fh = fopen('encrypted_file', 'rb');
$content = fread($fh, $size);
print mcrypt_decrypt(MCRYPT_TRIPLEDES, 'myPassword', $content, MCRYPT_MODE_ECB);
fclose($fh);
I cannot change the PHP code as it is used many times in the site.
Otherwise, I have to seriously prove that the change is mandatory.
Now, my problem is to find the Linux OpenSSL command to encrypt files that will be decrypted with the given code.
I tried things like :
openssl enc -e -des3 -k myPassword -nosalt -in text_file -out encrypted_file
But I cannot find the decrypted file through PHP.
May you help me to correct the openssl command?
There are so many options (I tried many, I sware) and I don't find how to make them corresponding to the PHP one.
Regards,
Olivier
I'm using phpseclib and need to make a couple of php functions that enable someone to programmatically ssh into their server and change the root password and also change the password of a user that may have forgotten their password (so have to be logged in as root).
I tried using libssh2, but found it a bit nasty to use. I'm now looking at phpseclib which seems more robust. But when I tried to use the 'su' command like so:
echo $ssh->exec('su');
I get the reply:
su: must be run from a terminal
and when I try to use sudo:
echo $ssh->exec('sudo passwd root');
I get the error:
sudo: no tty present and no askpass program specified
Anyway, it turns out that su is disabled for direct ssh access, but after having a look at this article, it turns out you can do it with the following command:
ssh -t -t -l 'username' 'host' 'su -'
That's what finally worked for me anyway when entering into a terminal from my laptop (running ubuntu), and then I entered my password and then the root password to finish off.
Quoting from the site linked to above:
Ssh commands (using -t) the remote sshd to establish a 'pseudo-terminal' pipe to the worker process when -t is given.
. ssh does this as long as its stdin is a terminal.
. But if ssh's stdin is a non-terminal, ssh won't direct sshd to establish a
pseudo-terminal unless TWO -t's are given:
echo password | ssh -t -t -l username remote_host
. So with -t -t (from ssh) sshd sets up a pseudo-terminal to the client process.
. The client, whether it be 'tty' or 'su' cannot tell it is connected to a ficticious >terminal:
echo dummystr | ssh -t -t -l username host.com -c ''tty'
echo password | ssh -t -t -l username host.com -c 'su -'
So there is the answer. Use double -t if you are 'su root'ing' on a linux box through an >interactive client ssh like the one from OpenBSD.
So, it actually worked from the terminal as I said above using:
ssh -t -t -l 'username' 'host' 'su -'
but I really want to be able to execute this command using phpseclib. Only thing is I don't know how to put in any flags into the exec() function. Specifically, I need to put in the -t flags (twice).
I've looked for ages and can't find anything. Be really grateful for some help on this. Sorry about the length of this post as well. :)
Cheers
Joe
If sudo passwd root requires a tty try read() / write() in phpseclib. eg.
<?php
include('Net/SSH2.php');
$ssh = new Net_SSH2('localhost', 22);
$ssh->login('username', 'password');
$ssh->read('[prompt]');
$ssh->write("sudo passwd root\n");
$ssh->read('Password:');
$ssh->write("Password\n");
echo $ssh->read('[prompt]');
?>
Actually, I'm just copy / pasting from your other post: php ssh2_exec not executing 'su' command
Looks like you were getting some help there and then stopped following up? Someone suggested you need to add new lines to your commands. Did you try that? They also suggested posting on the phpseclib support forums. Seems like a good bit of advice to me...
You can enable the pseudoterminal by calling
$ssh->enablePTY();
after you login, but before the exec. This will prevent it from complaining about the missing tty.
I looked into phpseclib's Net_SSH2 for the time being. It looks like it uses sockets to connect to the server. So there's no way to pass in -t twice. It's not an ssh call.
Since you mentioned libssh2 in your question, there's a PEAR wrapper which supports it, might make things easier, the code is only in SVN currently. The PEAR wrapper is called Net_SSH2 as well, but is different from phpseclib's Net_SSH2 (confusing).
Check out the code here:
http://svn.php.net/viewvc/pear/packages/Net_SSH2/trunk/
To download it, do an svn checkout out with:
svn co http://svn.php.net/repository/pear/packages/Net_SSH2/trunk/ ./Net_SSH2
Small example:
<?php
require_once './Net_SSH2/Net/SSH.php';
$ssh = new Net_SSH2::factory('LibSSH2', array(
'login_name' => 'user',
'password' => 'pass',
'hostname' => 'example.org',
'command' => 'su -',
));
$ssh->sshExec($std_output, $std_error);
var_dump($std_output, $std_error);
Would that help?