Net::SSH::Perl security question

Discussion in 'Perl Misc' started by Joe, Nov 30, 2007.

  1. Joe

    Joe Guest

    We have a need to allow users to submit a job through a web server
    (front end machine) to run on back end cluster machines. I made use of
    Net::SSH::perl in a CGI program to realize this. One thing I notice
    is that the CGI program requires a "/.ssh/known_hosts2" at the top
    path of the file system on the front end machine where Apache is
    running. I wonder does this potentially compromise any security on the
    system? Need expert advice ...

    Thanks in advance!

    Joe
    Joe, Nov 30, 2007
    #1
    1. Advertising

  2. Joe

    J. Gleixner Guest

    Joe wrote:
    > We have a need to allow users to submit a job through a web server
    > (front end machine) to run on back end cluster machines. I made use of
    > Net::SSH::perl in a CGI program to realize this. One thing I notice
    > is that the CGI program requires a "/.ssh/known_hosts2" at the top
    > path of the file system on the front end machine where Apache is
    > running. I wonder does this potentially compromise any security on the
    > system? Need expert advice ...


    Nothing to do with perl, however, the answer to your question is "No."

    For more details, read the documentation for ssh:

    man ssh

    or discuss in a security/ssh related newsgroup.

    Also, the CGI program doesn't require it, SSH is what uses/creates it.
    Furthermore, the directory should be under the username running
    the Apache process, not under root ( '/' ).
    J. Gleixner, Nov 30, 2007
    #2
    1. Advertising

  3. On Fri, 30 Nov 2007 08:49:39 -0800, Joe wrote:

    > We have a need to allow users to submit a job through a web server
    > (front end machine) to run on back end cluster machines. I made use of
    > Net::SSH::perl in a CGI program to realize this. One thing I notice is
    > that the CGI program requires a "/.ssh/known_hosts2" at the top path of
    > the file system on the front end machine where Apache is running. I
    > wonder does this potentially compromise any security on the system?
    > Need expert advice ...


    Just guessing but....

    The CGI is probably looking for $HOME/.ssh/known_hosts2. Which means that
    either the HOME variable is not filled, or the user has / as his homedir.

    M4
    Martijn Lievaart, Nov 30, 2007
    #3
  4. Joe

    Joe Guest

    On Nov 30, 12:28 pm, Martijn Lievaart <> wrote:

    > The CGI is probably looking for $HOME/.ssh/known_hosts2. Which means that
    > either the HOME variable is not filled, or the user has / as his homedir.
    >
    > M4


    Thanks for the clue -- Just found out that when the web server's
    account is
    set to "/bin/nologin" or "/bin/false", the account's "HOME" becomes
    "/".
    When it's set to a shell, the home dir is properly identified.

    This might be a web server question, but since we are here -- how may
    I
    "cheat" in the perl/CGI program in order to designate an env $HOME
    variable?
    (I tried a few options from within perl/CGI to "setenv" but never got
    it right;
    also had no luck with Google on this).

    Thanks in advance,

    Joe
    Joe, Dec 1, 2007
    #4
  5. Joe

    Ben Morrow Guest

    Quoth Joe <>:
    > On Nov 30, 12:28 pm, Martijn Lievaart <> wrote:
    >
    > > The CGI is probably looking for $HOME/.ssh/known_hosts2. Which means that
    > > either the HOME variable is not filled, or the user has / as his homedir.

    >
    > This might be a web server question, but since we are here -- how may
    > I "cheat" in the perl/CGI program in order to designate an env $HOME
    > variable?


    $ENV{HOME} = '...';

    It might be better to do it in a BEGIN block, in case something checks
    it at use time, and you can extract the correct value from /etc/passwd
    (or equivalent) using User::pwent:

    use User::pwent;

    BEGIN { $ENV{HOME} = getpwuid($<)->dir }

    Ben
    Ben Morrow, Dec 1, 2007
    #5
  6. On Fri, 30 Nov 2007 16:30:13 -0800, Joe wrote:

    > On Nov 30, 12:28 pm, Martijn Lievaart <> wrote:
    >
    >> The CGI is probably looking for $HOME/.ssh/known_hosts2. Which means
    >> that either the HOME variable is not filled, or the user has / as his
    >> homedir.
    >>
    >> M4

    >
    > Thanks for the clue -- Just found out that when the web server's account
    > is
    > set to "/bin/nologin" or "/bin/false", the account's "HOME" becomes "/".
    > When it's set to a shell, the home dir is properly identified.
    >
    > This might be a web server question, but since we are here -- how may I
    > "cheat" in the perl/CGI program in order to designate an env $HOME
    > variable?
    > (I tried a few options from within perl/CGI to "setenv" but never got it
    > right;
    > also had no luck with Google on this).


    The home directory can be set normally, probably choosing a shell gives a
    suitable default. Consult your systems documentation aboud modifying
    users.

    HTH,
    M4
    Martijn Lievaart, Dec 1, 2007
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. loial
    Replies:
    0
    Views:
    398
    loial
    Feb 3, 2009
  2. loial
    Replies:
    0
    Views:
    403
    loial
    Feb 10, 2009
  3. Tench Johnson
    Replies:
    1
    Views:
    290
    Biff Tannen
    Apr 23, 2010
  4. salamond

    net/ssh in ruby. ssh.exec fails

    salamond, Feb 17, 2011, in forum: Ruby
    Replies:
    0
    Views:
    241
    salamond
    Feb 17, 2011
  5. Replies:
    0
    Views:
    99
Loading...

Share This Page