remote invocation for any user

[james.bruckmann]

Hello perl gurus,

I have a big problem with the following program:
DCC.pl
....
$cmd = "ssh operator\@192.168.12.12 /usr/local/bin/CCD.pl $IP $user
\n";
system($cmd);

It works perfectly, for the operator user. It invokes on another box
the specified program CCD.pl with the correct parameters. Both boxes
are Sun running Solaris 8 and openssh. and I have ran ssh-keygen -t
rsa to generate pub and private keys and used these to enusre that ssh
works without a password.

The two parameters are entered by the user in a GUI over which I dont
have a lot of control.

The _big_ problem is that lots of different users need to log into the
GUI and this remote invocation only works for the operator user.

If you have an idea on a possible solution then please post it!!

TIA

James

 

[Tim Greer]

Hello perl gurus,

I have a big problem with the following program:
DCC.pl
...
$cmd = "ssh operator\@192.168.12.12 /usr/local/bin/CCD.pl $IP $user
\n";
system($cmd);

It works perfectly, for the operator user. It invokes on another box
the specified program CCD.pl with the correct parameters. Both boxes
are Sun running Solaris 8 and openssh. and I have ran ssh-keygen -t
rsa to generate pub and private keys and used these to enusre that ssh
works without a password.

The two parameters are entered by the user in a GUI over which I dont
have a lot of control.

The _big_ problem is that lots of different users need to log into the
GUI and this remote invocation only works for the operator user.

If you have an idea on a possible solution then please post it!!

TIA

James

How is it failing for the other (non operator) users? Did you test this
from a non operator user's shell to rule out this being a Perl related
issue? Are you sure you don't want to enclose the command and
arguments in double quotes for the ssh call? Are you sure you want to
allow any user access to blindly pass a command over a trusted SSH key
to another server, where your code looks like it'll allow them to break
out of that command and pass other commands and arguments? I.e.,
"/pah/to/program argument; /bin/rm -rf /" (as an example). I hope
you're doing some sanity and security checks if you are going to let
just anyone enter commands and arguments.

 

[sln]

Hello perl gurus,

I have a big problem with the following program:
DCC.pl
...
$cmd = "ssh operator\@192.168.12.12 /usr/local/bin/CCD.pl $IP $user
\n";
system($cmd);

It works perfectly, for the operator user. It invokes on another box
the specified program CCD.pl with the correct parameters. Both boxes
are Sun running Solaris 8 and openssh. and I have ran ssh-keygen -t
rsa to generate pub and private keys and used these to enusre that ssh
works without a password.

The two parameters are entered by the user in a GUI over which I dont
have a lot of control.

The _big_ problem is that lots of different users need to log into the
GUI and this remote invocation only works for the operator user.

If you have an idea on a possible solution then please post it!!

TIA

James

I'm not a Linux user so this is just speculation.
Are you saying different people log onto your box and use the same
DCC.pl script?

Would you have to generate rsa keys for those users and then
change to: $cmd = "ssh $user\@192.168.12.12 /usr/local/bin/CCD.pl $IP $user";

http://news.softpedia.com/news/How-to-Use-RSA-Key-for-SSH-Authentication-38599.shtml

Not sure.

sln

 

[james.bruckmann]

How is it failing for the other (non operator) users?  Did you test this
from a non operator user's shell to rule out this being a Perl related
issue?  Are you sure you don't want to enclose the command and
arguments in double quotes for the ssh call?  Are you sure you want to
allow any user access to blindly pass a command over a trusted SSH key
to another server, where your code looks like it'll allow them to break
out of that command and pass other commands and arguments?  I.e.,
"/pah/to/program argument; /bin/rm -rf /" (as an example).  I hope
you're doing some sanity and security checks if you are going to let
just anyone enter commands and arguments.
--
Tim Greer, CEO/Founder/CTO, BurlyHost.com, Inc.
Shared Hosting, Reseller Hosting, Dedicated & Semi-Dedicated servers
and Custom Hosting.  24/7 support, 30 day guarantee, secure servers.
Industry's most experienced staff! -- Web Hosting With Muscle!- Hide quoted text -

- Show quoted text -

Thanks for your interest!

How is it failing for the other (non operator) users? It just hangs the gui.
Did you test this from a non operator user's shell to rule out this beinga Perl related issue?

I did invoke DCC.pl from the shell that hangs too.

Are you sure you don't want to enclose the command and arguments in double quotes for the ssh call?

hmmm backslashed double quotes, it would neeed I guess, I could do
that, but it works OK without, at least for the operator user.

Are you sure you want to allow any user access to blindly pass a command over a trusted SSH key to another server,

Good question, but yes I am sure, users dont normally have access to
the command line, and if they had baad intent as a non-root user they
could pose more of a risk on the originating box than the target box -
and actually there is only a few users - and they are the good
guys ;-).
so I really do want any user to be able to use the functionality.

 

[james.bruckmann]

I'm not a Linux user so this is just speculation.
Are you saying different people log onto your box and use the same
DCC.pl script?

Would you have to generate rsa keys for those users and then
change to: $cmd = "ssh  $user\@192.168.12.12 /usr/local/bin/CCD.pl $IP $user";

http://news.softpedia.com/news/How-to-Use-RSA-Key-for-SSH-Authenticat...

Not sure.

sln- Hide quoted text -

- Show quoted text -

That is a very interesting and logical idea, but the users that exist
on the source box generally do not exist on the target box, so it
would involve creating users on the target box creating keys and
copying the pub key - sadly not feasible.
V nice try thanks!
I am now wondering about a setuid perl prog that morphed into the
operator user and could then read the key with 600 perms on - but I
dont know how to do that or even if it is possible..

 

[Tim Greer]

Thanks for your interest!
I did invoke DCC.pl from the shell that hangs too.

So it hangs regardless of the GUI or executing the script in shell. To
be clear, did you run the command outside of the Perl script in shell
to execute it on the other server? How about running it from another
shell (such as the operator user, if that user has an account/shell
access)?

hmmm backslashed double quotes, it would neeed I guess, I could do
that, but it works OK without, at least for the operator user.

Escaping with a backslash probably won't do what you think it'll do.

Good question, but yes I am sure, users dont normally have access to
the command line, and if they had baad intent as a non-root user they
could pose more of a risk on the originating box than the target box -
and actually there is only a few users - and they are the good
guys ;-).
so I really do want any user to be able to use the functionality.

That sounds dangerous. If you allow system() to run anything any user
on a GUI can pass to it, it risks the local account, as well as the
remote one, since you are invoking an SSH (with a trusted key) to log
in and run God knows what commands on the remote system as well. I'm
simply encouraging you to be cautious, not just for your sake, but
because you can open your system to be the source of attacks on other
networks, if you are able to connect out from either of those systems
(and then it becomes the problem of other people, too).

 

[Tim Greer]

I am now wondering about a setuid perl prog that morphed into the
operator user and could then read the key with 600 perms on - but I
dont know how to do that or even if it is possible..

I feel I should warn you about suid programs and the methods you want to
use, especially what with the "anyone can access" the GUI to pass
commands (which you don't know what those will be) aspect. If you are
running the GUI from a CGI script, consider using the SuEXEC wrapper
(if you use Apache), rather than suid/sgid solutions, and always do
appropriate checks on the data passed. It's not that what you want to
do can't be done in a reliable and secure manner, but it just doesn't
seem to be at this time, the way you're doing it.

 

[Todd Wade]

Hello perl gurus,

I have a big problem with the following program:
DCC.pl
...
$cmd = "ssh operator\@192.168.12.12 /usr/local/bin/CCD.pl $IP $user
\n";
system($cmd);

It works perfectly, for the operator user. It invokes on another box
the specified program CCD.pl with the correct parameters. Both boxes
are Sun running Solaris 8 and openssh. and I have ran ssh-keygen -t
rsa to generate pub and private keys and used these to enusre that ssh
works without a password.

The two parameters are entered by the user in a GUI over which I dont
have a lot of control.

The _big_ problem is that lots of different users need to log into the
GUI and this remote invocation only works for the operator user.

If you have an idea on a possible solution then please post it!!

Write a program that runs CCD.pl and stores the output in a local
file. Run this program regularly from the operator user's crontab.
Then modify DCC.pl to read the data from the local file instead of run
the command directly.

The fresher the data needs to be the more frequently you have cron run
the CCD.pl wrapper.

Regards,

Todd W.