I have a PHP file in which upon clicking the submit button, another PHP script is being executed. Within the second PHP script a shell script is being executed in which an SSH connection is being done to another server.
The issue I have is that the SSH connection to another server can only be done by a particular user. However the PHP script is being executed by www-data and for such reason I cannot change user, to the user that needs the ssh connection as it requires a password each time.
I also tried to execute the shell script from the first PHP file but still with no success.
My OS is UBUNTU.
Can this be done, and if yes, how can this be achieved?
Thanks
You can use sudo command. For passing password to it, there is a -S option
Do you have the option (access and rights etc.) of using private/public keys for SSH? If yes, then your second PHP script would contain something like
ssh -l <particular-username> <hostname> -i <private_key_file>
How are you logging in? SSH requires a username. Are you providing www-data as that username or the "particular name" as the username?
If you have or can install sshpass ( http://sourceforge.net/projects/sshpass/ ) you can give that a go, it allows username+password on the commandline, example here:
https://askubuntu.com/questions/282319/how-to-use-sshpass
Related
Can't solve the problem.
Briefly: I need to execute command on remote server via ssh.
I have two PCs from where I do that job. Ubuntu server - no problem. But from FreeBSD - problem.
Target server is under Freebsd too.
Access is via ssh keys, user - root. In my client Freebsd I can do ssh root#x.x.x.x without any password, so we make conclusion that this part is ok. Next. I run php artisan tinker (for those who don't know what is this - this is terminal for executing php code). There I do:
exec("ssh root#x.x.x.x whoami");
And I get 'root'. Work is correct. But I do the same via
dd(exec("ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -v root#x.x.x.x 2>&1"));
and I get:
"Permission denied (publickey,keyboard-interactive)."
For that command:
dd(exec("ssh -v root#91.222.216.24 whoami 2>&1"));
I get:
"Host key verification failed."
As I understand the only way is to use password, but why key auth fails?
How to fix that?
I've tried many options (read many articles on stackoverflow) and in some combination of code I've found that it looks like when command executed via exec another user (www) is used, not root. And I got errors like:
Could not create directory '/nonexistent/.ssh'.
As I understand the problem connected to user and its permissions. And it looks like there is no any user at all when sshing via exec.
Upd.
Right in terminal on client PC
php -r "echo(exec('whoami'));"
gives. 'root'.
But the same inside of controller in Laravel while using php exec
dd(exec('whoami'));
gives 'www'.
For some reasons in php (exec command) different user is used.
And yes, in Ubuntu, where I have no problems, I get the same user in both cases (I've checked just now), that's why everything is working there. So,.. the question is How to create ssh keys for another user, which is 'www' or should I change somehow user for php?
I am trying to rsync file from local to remote server.
When i do this on console it works:
rsync -avzhe ssh /var/www/folder1/file5
root#192.168.56.74:/var/www/folder2
but when i do this on my php and run the php script, it doesn't work:
$rysncCommand = "rsync -avzhe ssh /var/www/folder1/file5 root#192.168.56.74:/var/www/folder2";
shell_exec($rysncCommand);
There is no error shown, so i can't really tell what is the error. Is there something wrong with my php script?
First, you need to check if you need to be a root or (sudo user) for running rsync.
If yes then exec() command will only work if it is run by same user on php-cli (not on browser by Apache user). i.e. Which user you are loggined into shell for run rsync.
If it is root or any elavated permission user with sudo permission then, This rsync command may not be available to apache/www-data user which is working when php script run from browser.
So You try to make a normal user and login through it, Then try rsync if you are successful then it may be interesting to see what are other problems can be, But if you getting access/permission denied then obviously you can not run this script at-least on browser.
Besides this One more thing permission may not be directly related to rsync command itself but with folder /etc/test/ which is owned by root user in normal scenario.
For more details you can check this Stack Overflow Link .
Using PHP's copy() function, is it possible to perform the copy using alternate credentials (a different user account)?
Currently, I’m copying files from one Windows directory to another Windows Server and was wondering if I could do this using another account than I am currently using.
No, you cannot directly manipulate the user credentials like that. Instead you will have to spawn a new process to do the copying under a different user's login.
On Linux or Mac OS X you could arrange it with the sudo command, as long as you properly set up the sudoers file (using visudo).
On Windows you can use the runas command to execute a script as a different user.
runas is the only way that I know of. Run the command using exec() and use the Windows copy command:
exec("cmd /C echo password | runas /user:username copy \\path\\to\\file \\\\servername\\path\\");
There are other switches for runas. You might look at the /no profile and /netonly.
i am using arch linux. i want to execute the php file which changes the ip of the system. i did
ifconfig eth0 192.168.163.137
in the terminal and it works fine. the same i tried doing with
shell_exec('ifconfig eth0 192.168.163.137');
in a php file and tried opening the page from a remotely located web browser from another pc connected via router. teh page displays nothing and the code also doesnt execute. i guess its the problem with the user executing it.apache is executing it. so i want it to be run by the root.can anyone please guide me to the execution of my code. i even installed sudo and just put
shell_exec('sudo ifconfig......');
it too doesnt execute...please help...thanku..:)
Sudo normally requires an interactive shell to enter your password. That's obviously not going to happen in a PHP script. If you're sure you know what you're doing and you've got your security issues covered, try allowing the Apache user to run sudo without a password, but only for certain commands.
For example, adding the following line in your sudoers file will allow Apache to run sudo without a password, only for the ifconfig command.
apache ALL=NOPASSWD: /sbin/ifconfig
Adjust the path and add any arguments to suit your needs.
Caution:
There might still be complications due to the way PHP calls shell commands.
Remember that it's very risky to allow the web server to run commands as root!
Probably a better alternative:
Write a shell script with the suid bit to make it run as root no matter who calls it.
shell_exec
This function is disabled when PHP is running in safe mode.
Documentation : http://php.net/manual/en/function.shell-exec.php
So, maybe try tweaking your php.ini file?
Write the commands to a queue and have cron pick them up, validate them (only allow known good requests), and run them, then mark that queue complete with the date and result.
Your end-user can then click/wait for update using ajax.
I have a shellscript with connects to a a different machine with ssh and a key so it does not need the username and password.
When i run this script from commandline it works fine.. but when I run this script from php shell_exec it does not work.
If I make an ssh connection with PHP and run the script as my own user it does work.
Now for my question :D
Is there a way to just running the script in shell_exec from php without making an connection over ssh as a different user?
Did you specify the private key file correctly?
If you are using Ubuntu or Debian the web server is running with the user name www-data. For other systems please check the web server configuration for the user name. You can simply test if this user (and your php web application) is able to do the SSH connection.
1) Become the user of your web server
sudo su www-data
2) Try connecting the remote host
ssh remoteUser#remoteHost
If you will get connected without entering a password there must be a different problem. If you have to enter a password, the key files were stored for a different user - not for www-data. You have already configured SSH to use the key. Do the same for your local user www-data and it will work.
It seems ssh connection does not work with shell_exec. If i run the shellscript under ssh2_exec it does seem to work.
Which is a little strange as the ssh connection is made in the script file with a public and private key.. I would assume this would just run :s
The webserver is allowed to execute the file, as there are other command in there who work as expected.