Boredworkers.com

For security purposes, most servers are usually locked up to allow access only via SSH. Setting up ssh-key for remote access to servers without password is simple. But what if you want to set up ssh-key access with user apache which is a pseudo user on most Linux installations and doesn’t have shell access? Ever tried to set up your webserver so it could run some automated scripts on a remote server via a web interface? If yes, then here’s the answer.

I was basically doing the same thing on my local network where I have several Linux RedHat Enterprise boxes and Sun Solaris boxes sitting together. I had a webserver on one of the Linux boxes but most of the other services I required was sitting on the Solaris platform. I sort of needed a web interface to dumb down the service and make the back end operations transparent to the end user. So I did the unthinkable and broke all security controls using ssh-key for apache. Don’t try this unless you’re sure the security’s not an issue :)

First, let’s walk through the basic steps of setting up ssh-key for a normal user. For this example, we’ll be using the following parameters:

• Main Server Name: X
• Main Server User: dummyX
• Remote Server Name: Y
• Remote Server User: dummyY

1. Login to the server as the user you would like to create the ssh-key for.
2. Generate the ssh-key authentication key. Use the default file location and leave empty when prompted for passphrase.
   [dummyX@X ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/dummyX/.ssh/id_rsa):
Created directory '/home/dummyX/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/dummyX/.ssh/id_rsa.
Your public key has been saved in /home/dummyX/.ssh/id_rsa.pub.
The key fingerprint is:
3e:4f:05:79:3a:9f:96:7c:3b:ad:e9:58:37:bc:37:e4 dummyX@X
3. Create a directory ~/.ssh as user dummyY on server Y. Enter dummyY’s password when prompted.
   [dummyX@X ~]$ ssh dummyY@Y mkdir -p .ssh
dummyY@Y's password:
4. Append dummyX’s public key to dummyY@Y:.ssh/authorized_keys and enter dummyY’s password again:
   [dummyX@X ~]$ cat .ssh/id_rsa.pub | ssh dummyY@Y 'cat >> .ssh/authorized_keys'
dummyY@Y's password:
5. Once done, test the set up. You’ll see that you can now run ssh commands without being prompted for the user password:
   [dummyX@X ~]$ ssh dummyY@Y hostname
Y

In order to set up ssh-key for apache, you’ll do the same steps as a normal user but you’ll require root access on your webserver installation. Here’s what you do.

1. Change user to root:
   sudo su - root
2. Create a .ssh directory on the apache home (/var/www) and change ownership to apache user:
   [root@X ~]$ mkdir /var/www/.ssh
[root@X ~]$ chown -R apache:nobody /var/www/.ssh
3. Generate the ssh-key authentication key as user apache using sudo. Use the default file location and leave empty when prompted for passphrase.
   [root@X ~]$ sudo -u apache ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/var/www/.ssh/id_rsa):
Created directory '/var/www/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /var/www/.ssh/id_rsa.
Your public key has been saved in /var/www/.ssh/id_rsa.pub.
The key fingerprint is:
3e:4f:05:79:3a:9f:96:7c:3b:ad:e9:58:37:bc:37:e4 apache@X
4. Append apache’s public key to dummyY@Y:.ssh/authorized_keys and enter dummyY’s password again:
   [root@X ~]$ sudo -u apache cat .ssh/id_rsa.pub | ssh dummyY@Y 'cat >> .ssh/authorized_keys'
dummyY@Y's password:
5. Once done, test the set up. You’ll see that you can now run ssh commands without being prompted for the user password:
   [dummyX@X ~]$ sudo -u apache ssh dummyY@Y hostname
Y

And to test your setup using php/shell combination. Create a php test file:
<?php // test.php:
echo "Running test.sh from test.php"
echo shell_exec("test.sh");
?>

And a test shell file (don’t forget to grant executable access to apache):
# test.sh:
echo "USER: `id -un`"
echo "HOST: `hostname`"
echo "REMOTE USER: `ssh dummyY@Y id -un`"
echo "REMOTE HOST: `ssh dummyY@Y hostname`"

If you point your browser to test.php, you should see the following output displayed:
Running test.sh from test.php using apache user
USER: apache
HOST: X
REMOTE USER: dummyY
REMOTE HOST: Y

With the authentication keys properly set up for ssh access, you’ll be able to perform ssh commands as well as other ssh based operations (e.g. sftp and scp) without being prompted for a user password. And if you set up the same for your apache user, you’ll be able to create a simple web interface to access all your automation scripts. Have fun :)