Net::SSH::Perl failure via Apache

[perld]

Have a script using Net::SSH:erl that connects to remote machines and executes commands. Running the script via a shell as user apache returns as expected. When trying to run the script from a web browser (running as user apache) the script fails at the the line $session->login($user, $pass).

Debug output from the remote server shows the folloing during a successful connection attempt:

*** START ***
Oct 21 16:55:06 remotehost sshd[2880]: debug1: rexec start in 4 out 4 newsock 4 pipe 6 sock 7
Oct 21 16:55:06 remotehost sshd[2880]: debug1: inetd sockets after dupping: 3, 3
Oct 21 16:55:06 remotehost sshd[2880]: Connection from x.y.z.21 port 1023
Oct 21 16:55:06 remotehost sshd[2880]: debug1: Client protocol version 2.0; client software version 1.29
Oct 21 16:55:06 remotehost sshd[2880]: debug1: no match: 1.29
Oct 21 16:55:06 remotehost sshd[2880]: debug1: Enabling compatibility mode for protocol 2.0
Oct 21 16:55:06 remotehost sshd[2880]: debug1: Local version string SSH-2.0-OpenSSH_3.9p1
Oct 21 16:55:08 remotehost sshd[2880]: debug1: PAM: initializing for "root"
Oct 21 16:55:08 remotehost sshd[2880]: debug1: PAM: setting PAM_RHOST to "x.y.z.21"
Oct 21 16:55:08 remotehost sshd[2880]: debug1: PAM: setting PAM_TTY to "ssh"
Oct 21 16:55:08 remotehost sshd[2880]: debug1: temporarily_use_uid: 0/0 (e=0/0)
Oct 21 16:55:08 remotehost sshd[2880]: debug1: trying public key file /root/.ssh/authorized_keys
Oct 21 16:55:08 remotehost sshd[2880]: debug1: matching key found: file /root/.ssh/authorized_keys, line 3
Oct 21 16:55:08 remotehost sshd[2880]: Found matching DSA key:
*** END ***

However, via the browser, the following debug log is produced:

*** START ***
Oct 21 16:53:10 remotehost sshd[1268]: debug1: rexec start in 4 out 4 newsock 4 pipe 6 sock 7
Oct 21 16:53:10 remotehost sshd[31443]: debug1: Forked child 1268.
Oct 21 16:53:10 remotehost sshd[1268]: debug1: inetd sockets after dupping: 3, 3
Oct 21 16:53:10 remotehost sshd[1268]: Connection from x.y.z.21 port 40015
Oct 21 16:53:10 remotehost sshd[1268]: debug1: Client protocol version 2.0; client software version 1.29
Oct 21 16:53:10 remotehost sshd[1268]: debug1: no match: 1.29
Oct 21 16:53:10 remotehost sshd[1268]: debug1: Enabling compatibility mode for protocol 2.0
Oct 21 16:53:10 remotehost sshd[1268]: debug1: Local version string SSH-2.0-OpenSSH_3.9p1
Oct 21 16:53:11 remotehost sshd[1268]: debug1: PAM: initializing for "root"
Oct 21 16:53:11 remotehost sshd[1268]: debug1: PAM: setting PAM_RHOST to "x.y.z.21"
Oct 21 16:53:11 remotehost sshd[1268]: debug1: PAM: setting PAM_TTY to "ssh"
Oct 21 16:53:11 remotehost sshd[1268]: debug1: do_cleanup
Oct 21 16:53:11 remotehost sshd[1268]: debug1: PAM: cleanup
*** END ***

As this all works fine at the shell, I'm a bit lost as to what the difference could be. Any pointers?

Regs.

Iain.

 

[feherke]

Hi

trying public key file /root/.ssh/authorized_keys

Hmm... Just a question. Are your Apache running as user nobody, or as a user without home directory ?

Feherke.

http://rootshell.be/~feherke/

 

[perld]

Apache is running as user 'apache' and has a homedir under /home. As mentioned, the script runs fine from shell. I can:

$ su - apache
$ ./script arg=value

...and all works great, pumping back all the HTML output as expected. It's only when the script is called via the httpd process (running as user apache) that it fails.

Regs.

Iain.

 

[feherke]

Hi

Then another possibility, the environment. Print the %ENV to a file at the begin of the script, run it both ways then compare the results.

Feherke.

http://rootshell.be/~feherke/

 

[perld]

Nothing really seems to jump out here...or do you see something??

*** START SHELL ***
HOME: /home/apache
LESSOPEN: |/usr/bin/lesspipe.sh %s
MAIL: /var/spool/mail/apache
PWD: /var/

http://www/cgi-bin

LANG: en_GB
USER: apache
LOGNAME: apache
G_BROKEN_FILENAMES: 1
HOSTNAME: hostname
SHLVL: 1
INPUTRC: /etc/inputrc
OLDPWD: /home/apache
_: ./pushmail3.pl
PATH: /sbin:
LS_COLORS: no=00:fi=00:di=00;34:ln=00;36i=40;33:so=00;35:bd=40;33;01:cd=40;33;01r
=01;05;37;41:mi=01;05;37;41:ex=00;32:*.cmd=00;32:*.exe=00;32:*.com=00;32:
*.btm=00;32:*.bat=00;32:*.sh=00;32:*.csh=00;32:*.tar=00;31:*.tgz=00;31:
*.arj=00;31:*.taz=00;31:*.lzh=00;31:*.zip=00;31:*.z=00;31:*.Z=00;31:*.gz=
00;31:*.bz2=00;31:*.bz=00;31:*.tz=00;31:*.rpm=00;31:*.cpio=00;31:*.jpg=
00;35:*.gif=00;35:*.bmp=00;35:*.xbm=00;35:*.xpm=00;35:*.png=00;35:*.tif=
00;35:
SHELL: /bin/bash
HISTSIZE: 1000
TERM: xterm
*** END SHELL ***

And from the browser...

*** START CGI ***
<address>Apache/2.0.40 Server at hostname.mydomain Port 80</address>
:
HTTP_ACCEPT_LANGUAGE: en-us,en;q=0.5
REMOTE_ADDR: x.y.z.54
HTTP_KEEP_ALIVE: 300
SERVER_PROTOCOL: HTTP/1.1
PATH: /sbin:
REQUEST_URI: /cgi-bin/pushmail3.pl
GATEWAY_INTERFACE: CGI/1.1
SERVER_ADDR: x.y.z.21
DOCUMENT_ROOT: /var/

http://www/html

HTTP_HOST: hostname.mydomain
UNIQUE_ID: 7tfpbMLMYBUAAF9@DYIAAAAG
*** END WEB ***

Regs.

Iain.

 

[feherke]

Hi

No HOME and USER. Maybe this become a problem when try to read the public key file. I would try to let them be passed or set them manually. But this is just a pale idea.

[gray]# first try[/gray]
PassEnv HOME USER

[gray]# otherwise[/gray]
SetEnv HOME /home/apache
SetEnv USER apache

Feherke.

http://rootshell.be/~feherke/

 

[perld]

Your 'pale idea' was spot on!

Added the following to the start of the script:

$ENV{HOME} = "/home/apache";
$ENV{USER} = "apache";

...and it all kicked in!

Many thanks.

Iain.