I'm using phpseclib and need to make a couple of php functions that enable someone to programmatically ssh into their server and change the root password and also change the password of a user that may have forgotten their password (so have to be logged in as root).
I tried using libssh2, but found it a bit nasty to use. I'm now looking at phpseclib which seems more robust. But when I tried to use the 'su' command like so:
echo $ssh->exec('su');
I get the reply:
su: must be run from a terminal
and when I try to use sudo:
echo $ssh->exec('sudo passwd root');
I get the error:
sudo: no tty present and no askpass program specified
Anyway, it turns out that su is disabled for direct ssh access, but after having a look at this article, it turns out you can do it with the following command:
ssh -t -t -l 'username' 'host' 'su -'
That's what finally worked for me anyway when entering into a terminal from my laptop (running ubuntu), and then I entered my password and then the root password to finish off.
Quoting from the site linked to above:
Ssh commands (using -t) the remote sshd to establish a 'pseudo-terminal' pipe to the worker process when -t is given.
. ssh does this as long as its stdin is a terminal.
. But if ssh's stdin is a non-terminal, ssh won't direct sshd to establish a
pseudo-terminal unless TWO -t's are given:
echo password | ssh -t -t -l username remote_host
. So with -t -t (from ssh) sshd sets up a pseudo-terminal to the client process.
. The client, whether it be 'tty' or 'su' cannot tell it is connected to a ficticious >terminal:
echo dummystr | ssh -t -t -l username host.com -c ''tty'
echo password | ssh -t -t -l username host.com -c 'su -'
So there is the answer. Use double -t if you are 'su root'ing' on a linux box through an >interactive client ssh like the one from OpenBSD.
So, it actually worked from the terminal as I said above using:
ssh -t -t -l 'username' 'host' 'su -'
but I really want to be able to execute this command using phpseclib. Only thing is I don't know how to put in any flags into the exec() function. Specifically, I need to put in the -t flags (twice).
I've looked for ages and can't find anything. Be really grateful for some help on this. Sorry about the length of this post as well. :)
Cheers
Joe
If sudo passwd root requires a tty try read() / write() in phpseclib. eg.
<?php
include('Net/SSH2.php');
$ssh = new Net_SSH2('localhost', 22);
$ssh->login('username', 'password');
$ssh->read('[prompt]');
$ssh->write("sudo passwd root\n");
$ssh->read('Password:');
$ssh->write("Password\n");
echo $ssh->read('[prompt]');
?>
Actually, I'm just copy / pasting from your other post: php ssh2_exec not executing 'su' command
Looks like you were getting some help there and then stopped following up? Someone suggested you need to add new lines to your commands. Did you try that? They also suggested posting on the phpseclib support forums. Seems like a good bit of advice to me...
You can enable the pseudoterminal by calling
$ssh->enablePTY();
after you login, but before the exec. This will prevent it from complaining about the missing tty.
I looked into phpseclib's Net_SSH2 for the time being. It looks like it uses sockets to connect to the server. So there's no way to pass in -t twice. It's not an ssh call.
Since you mentioned libssh2 in your question, there's a PEAR wrapper which supports it, might make things easier, the code is only in SVN currently. The PEAR wrapper is called Net_SSH2 as well, but is different from phpseclib's Net_SSH2 (confusing).
Check out the code here:
http://svn.php.net/viewvc/pear/packages/Net_SSH2/trunk/
To download it, do an svn checkout out with:
svn co http://svn.php.net/repository/pear/packages/Net_SSH2/trunk/ ./Net_SSH2
Small example:
<?php
require_once './Net_SSH2/Net/SSH.php';
$ssh = new Net_SSH2::factory('LibSSH2', array(
'login_name' => 'user',
'password' => 'pass',
'hostname' => 'example.org',
'command' => 'su -',
));
$ssh->sshExec($std_output, $std_error);
var_dump($std_output, $std_error);
Would that help?
Related
I am trying to ssh to a remote server to check to see if a specific file exists.
I am able to ssh in the command line but whenever I try to with my script it does not return anything / I have to type "exit" and hit enter to get back to the command line.
Steps:
ssh root#website.com
cd ..
ls ATMEXTRACT
I put all of these commands into ouputs so they look like this:
$output = shell_exec("ssh root#website.com");
$ouput1 = shell_exec("cd ..");
$ouput2 = shell_exec("ls *ATMEXTRACT*");
echo($output2);
I am confused as to why this works directly in the command line but is failing in the script. Any help is much appreciated
Here's what you do interactively:
Run ssh root#website.com in the current shell
Input cd .. in ssh
Input ls *ATMEXTRACT* in ssh
Input exit in ssh, which now exits
Find yourself back in your original shell
Here's what you do in your script:
Run ssh root#website.com in a new shell and exit it
Run cd .. in a second shell and exit it
Run ls *ATMEXTRACT* in a third shell and exit it
You could try to open and interact with an ssh command, but you can also just save yourself the trouble and use ssh's command line feature for specifying the commands to run:
$output = shell_exec("ssh root#website.com 'cd .. && ls *ATMEXTRACT*'");
Be aware that this is likely to fail from a PHP website script because you need to set up an authentication mechanism. This true even if ssh root#website.com connects without a password when you manually log in to the web server and try it.
I would recommend you to use ssh2 module of PHP. This will help you to connect any remote server which is reachable through appropriate SSH PORT.
You will need to check, if few modules like OpenSSL and ssh2 are installed on your host server.
if not please check this https://ehikioya.com/install-ssh2-php/ and install above modules.
once these modules are installed and enabled.
follow this code.
$server="website.com";
$server_pwd="Password";
//creating connection using server credentials
$connection = ssh2_connect($server, 22);
//authenticating username and password
if(ssh2_auth_password($connection, 'root', $server_pwd)){
echo "connected"
}else{
echo "could not connect to server";
}
ssh2_exec($connection, "ls /FULL_PATH/ATMEXTRACT"); //run your command here
I'm trying to make a script where I can Git pull on my ubuntu server after push to Bitbucket repository. I've setup ssh keys to Bitbucket and it works to do git pull command on the repository but it doesn't work when I try it from php exec.
I've tried chmod commands like /.ssh/bitbucket_rsa like 775 and 777 and chown -R www-data:www-data/.ssh without any luck.
Response:
array (
0 => 'Host key verification failed.',
1 => 'fatal: Could not read from remote repository.',
2 => '',
3 => 'Please make sure you have the correct access rights',
4 => 'and the repository exists.',
)
Code:
public function gitPull() {
try {
exec("cd " . env("REPO_PATH") . " && git pull 2>&1", $output);
Log::info($output);
} catch (\Exception $e) {
Log::error($e);
}
http_response_code(200);
}
I guess you are stuck with the fact that the user www-data can not establish the SSH connection to the git server. I think the simplest was is to create a home directory for the www-data user and create a .ssh directory with the proper permissions, a config file and the key file in there. You could always test the setup as root with
# su - www-data
$ cd <to your repository>
$ git pull
Google for "SSH connections without password" to set it up correctly. And also be aware that SSH refuses to use a key file if the permissions are to loose.
Host key verification failed.
means that ssh could not verify the host key, most likely because there's no known_hosts file in www-data's home/.ssh directory that contains the expected host key for your repo's server.
There's at least two ways to fix that:
Use ssh-keyscan as described over on Serverfault.se:
ssh-keyscan -H [hostname] >> /path/to/www-data's_home_directory/.ssh/known_hosts
You only need to do that once (unless the key changes), but you should check that the key is indeed correct after you run ssh-keyscan.
Set the GIT_SSH_COMMAND environment variable before running git. You can use this to have ssh use a different known_hosts file:
export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=/path/to/known_hosts"
Note that the above assumes shell syntax (e.g. Bash), you may need to adjust for PHP, particularly the export GIT_SSH_COMMAND= part.
I stack with the same problem working with github:
ssh-keyscan -t rsa github.com | tee github-key-temp | ssh-keygen -lf -
cat github-key-temp >> ~/.ssh/known_hosts
cat github-key-temp >> /etc/ssh/ssh_known_hosts
But that is not all, with next command you can check what is goes wrong (run it throught exec or shell_exec (save out put to some log):
ssh -vT git#github.com 2>&1
So, with help of privious command, i understand that in my case: cron run's command via php script, but duaring ssh connection it could not find my keysfile (i have custom name for that file):
cd /etc/ssh/ssh_config.d/
sudo touch <some_name>.conf
sudo echo 'IdentityFile ~/.shh/<custom_key_file_name>' > <some_name>.conf
Or try to add full path to location of your keyfile (~/ = current user home dir).
You can check cron user by runing, this can helps to:
shell_exec('whoami');
P.S. I have no idea if this solution is enough secure. but i think fine.
I have a problem doing Sudo command through SSH when connecting from php, but not connection from regular terminal
if i'm connecting on SSH to an AWS machine with Net_SSH2
$ssh = new Net_SSH2($instanceIp);
if ( ! $ssh->login('ec2-user', $key)) {
$logger->error('Login Failed');
}
I'll get this error: sudo: sorry, you must have a tty to run sudo
If I'm connecting directly from terminal
ssh -i ~/Path/to-file-key.pem ec2-user#111.111.11.111
So I can run any sudo command without problems.
I don't want to remove from /etc/sudoers (I don't want to have something to do on the server, I want it to be done by the connection)
Defaults requiretty
Is there a way to do it without that ?
Thanks for your help
If i may quote this article,
Red Hat systems (RHEL, Fedora...) have been known to require a TTY in default sudoers file. That provides no real security benefit and can be safely removed.
Red Hat have acknowledged the problem and it will be removed in future releases.
Therefore, it's safe to remove the "requiretty", that way you won't have a problem to execute sudo commands via SSH.
You may also try running ssh with the -t option(the repercussions of which you can find in the aforementioned article), it forces pseudo-tty allocation, so it might work. I don't know if there's a way to add that option to Net_SSH, but it should be OpenSSH based, so normally, you should.
Worst case scenario, you can allways run the ssh command via exec, but removing require tty seems to be the best option.
The phpseclib docs give an example of how to use sudo:
<?php
include('Net/SSH2.php');
$ssh = new Net_SSH2('www.domain.tld');
if (!$ssh->login('username', 'password')) {
exit('Login Failed');
}
echo $ssh->read('username#username:~$');
$ssh->write("sudo ls -la\n");
$output = $ssh->read('#[pP]assword[^:]*:|username#username:~\$#', NET_SSH2_READ_REGEX);
echo $output;
if (preg_match('#[pP]assword[^:]*:#', $output)) {
$ssh->write("password\n");
echo $ssh->read('username#username:~$');
}
http://phpseclib.sourceforge.net/ssh/examples.html#sudo
If you want to try to do it with $ssh->exec (it's not clear what you're doing since you didn't provide the full code in your post) you can do sudo visudo and then add an entry for the username / script that you're wanting to run. eg.
username ALL=(ALL) NOPASSWD: /path/to/script
Alternatively, you could do this:
echo "PASSWORD" | sudo -S /path/to/script
For more information google "sudo in a bash script"
So my first problem is that I'm hosting on GoDaddy.
Second problem is that when I try to execute the following PHP script via SSH...
./searchreplacedb2cli.php -h hostname -u username -d databasename -p 'password'
...I get a /usr/bin/php: bad interpreter: No such file or directory error. This is because on shared hosting, there is no /usr/bin/php. Instead, the php cli I want is located here:
/usr/local/php5_3/bin/php
So, I manually changed the shebang declaration in the script to...
#!/usr/local/php5_3/bin/php -q
...and sure enough, it works.
However, I don't want to have to edit this script manually. I'm looking for a way to circumvent this issue programmatically. I use this script to deploy Wordpress sites on the fly. I wget it from a git repository each time I use it. Furthermore it is deleted and installed regularly from a bash script, so modifying it in a text editor each time is not an option.
Is there a way to pass an alternate interpreter to a bash command? Like, "if you don't find the default interpreter, use this one instead".
I tried this but it doesn't work:
./searchreplacedb2cli.php -h hostname -u username -d databasename -p 'password' | /usr/local/php5_3/bin/php
And because it's shared hosting I lack the permissions to symlink /usr/bin/php to the right place.
My next idea was to, via bash, edit line 1 of the php script using a sed replace command. I thought I would inquire here first for alternatives. Thanks.
If it's only this host, add /usr/local/php5_3/bin/ to your $PATH, and use this shebang:
#!/usr/bin/env php
I'm trying to establish an interactive SSH connection to a remote server using PHP via the command line on Mac OS X 10.6. I'm currently using PHP's proc_open function to execute the following command:
ssh -t -t -p 22 user#server.com
This almost works. The -t -t options are supposed to force a pseudo terminal which they almost do. I am able to enter the SSH password and press enter. However, after pressing enter the terminal appears to simply hang. No output, no nothing - it's as if the SSH session has failed. I can't run commands or anything and have to kill the whole thing using Ctrl+C. I know the login is successful because I can execute a command like ssh -t -t -p 22 user#server.com "ls -la" and get the correct output.
I thought the problem must be related to the fact that I was using standard pipes in my proc_open call, so I replaced them with pty. I get the following error: "pty pseudo terminal not supported on this system..."
Does Mac OS X simply not support pty or pseudo terminals? (I'm pretty new at using all this shell terminology).
Here's the PHP code:
$descriptorspec = array(0 => array("pty"), 1 => array("pty"), 2 => array("pty"));
$cwd = getcwd();
$process = proc_open('ssh -t -t -p 22 user#server.com', $descriptorspec, $pipes, $cwd);
if (is_resource($process))
{
while (true)
{
echo(stream_get_contents($pipes[1]));
$status = proc_get_status($process);
if (! $status["running"])
break;
}
}
(Sorry - cannot for the life of me figure out SO's formatting instructions...)
What am I doing wrong? Why can't I use pty? Is this just impossible on Mac OS X? Thanks for your help!
You should use public key authentication rather than trying to programmatically bypass interactive password authentication.
The password prompt is supposed to be used from a tty and I believe it was made intentionally difficult to use otherwise. Also the -t -t argument only takes effect once you are connected to the remote host. And I don't believe the PHP function proc_open() can run a command inside a virtual terminal.
To setup public key authentication:
# Generate keypair
ssh-keygen -t rsa
# Copy public key to server
scp ~/.ssh/id_rsa.pub example.com:.ssh/authorized_keys
# Now you shouldn't be prompted for a password when connecting to example.com
# from this host and user account.
ssh example.com
# Since the web server (and thus PHP) probably has its own user account...
# Copy the ~/.ssh/id_rsa file somewhere else
cp ~/.ssh/id_rsa /some_path/id_rsa
# Change ownership of the file to the web server account
chown www-data:www-data /some_path/id_rsa
# Fix the file permissions (ssh ignore the keyfile if it is world readable)
chown 600 /some_path/id_rsa
# Try connecting to the server through the web server account
su -c "ssh -i /some_path/id_rsa -o UserKnownHostsFile=/some_path/known_hosts example.com" www-data
# Add the host to the known hosts file when prompted
Alternately, you could use plink (part of PuTTY for Linux) instead of OpenSSH as it can take the password on the command line plink -pw password example.com. But doing so presents a security risk as anyone who runs ps aux on the server can see the password in the process list.
There is also a program called sshpass that takes the password from an environment variable or command argument and passes it to ssh.
It looks like the problem is best solved using PHP's passthru() function. After alot more (rather painful) research I was able to issue a command through this function and could interact with the remote server through the terminal as if I had run ssh and svn export by hand (they both require passwords, therefore were good tests). What I'm going to have to do is construct a (potentially very long) string of commands separated by && and attach them to the end of the ssh command: ssh -t -t -p 22 hostname command1 && command2 ... The output will be sent to my terminal in Mac OS X even though the commands are being executed on the remote server. Looks like this is the solution I was looking for the whole time - pretty simple really! Thanks to everyone who helped me with this. I gave Alexandre the "green checkmark" because he was the only one who kept responding and was quite helpful in deducing the final answer to the problem. Thanks Alexandre!
This is old, but for any googlers out there, here is an actual solution using proc_open:
Pty descriptors are available in PHP, but have to be configured during compilation (see this 10yr old bug report https://bugs.php.net/bug.php?id=33147)
But in python however, we don't have that problem. So instead of running the ssh command directly, run this python script:
import sys
import pty
args = " ".join(sys.argv[1:])
pty.spawn(['/usr/bin/ssh', args])
About pty.spawn from python docs:
Spawn a process, and connect its controlling terminal with the current
process’s standard io. This is often used to baffle programs which
insist on reading from the controlling terminal.
Have you tried the PHP SSH2 extension?
Have you tried phpseclib, a pure PHP SSH implementation?:
<?php
include('Net/SSH2.php');
$ssh = new Net_SSH2('www.domain.tld');
if (!$ssh->login('username', 'password')) {
exit('Login Failed');
}
echo $ssh->read('username#username:~$');
$ssh->write("ls -la\n");
echo $ssh->read('username#username:~$');
?>
I wrote a ssh client on php with ssh2 extension, you can take a look to the source code on the github page https://github.com/roke22/PHP-SSH2-Web-Client
Please send some feedback.