Running
ssh command from apache webserver
Running
shell script in other server from webserver ?
Please
note that this setup can cause security issue .Do security
vulnerability assessment before implementing it
master.company.com
: server where apache webserver is running
datanode.company.com
: Getting details of this server via ssh from web server
Main
Tasks
1.Setup
Apache webserver
2.
Create script in master and client server
3.
Make 'password less' ssh from master to client for apache
user
4.
Disable SELINUX
5.
Run cgi as apache user
6.
Run cgi from browser
1.
Setup Apache webserver
2.
Create script in master and client server
2.1
create runonother.cgi in master
vi
runonother.cgi
#!/bin/bash
echo
"Content-type: text/html"
echo
""
echo
"<html><head><title>RUN ON OTHER SERVER "
echo
"</title></head><body>"
echo
"<h4> current server is `hostname` </h4>"
FILENAME=/tmp/cgi`date
+%m%d%Y_%H%M%S`
SERVERS="datanode.company.com
"
#
other server can be add by putting space
USR="hduser"
command="/home/hduser/getstatus.sh"
for
host in $SERVERS
do
ssh
$USR@$host $command >> $FILENAME
done
echo
"<pre>"
cat
$FILENAME
echo
"</pre>"
echo
"</body></html>"
2.2
create getstatus.sh in client
vi
getstatus.sh
echo
" Hostname is `hostname` "
echo
" ..................."
echo
" Loged in users "
w
echo
" ..................."
echo
"HD space "
df
-h
3.
Make 'password less' ssh from master to client for apache
user
3.1
: Enable login for apache user
vi
/etc/passwd
Edit
from
apache:x:48:48:Apache:/var/www:/bin/nologin
to
apache:x:48:48:Apache:/var/www:/bin/bash
3.2
Make .ssh folder
mkdir
/var/www/.ssh
chown
apache:apache /var/www/.ssh
3.3
login as apache user and create ssh key
then
copy to client
su
– apache
cd
.ssh
ssh-keygen
-t rsa
ssh-copy-id
-i ~/.ssh/id_rsa.pub hduser@datanode
Snap
shot
-bash-4.1$
ssh-keygen -t rsa
Generating
public/private rsa key pair.
Enter
file in which to save the key (/var/www/.ssh/id_rsa):
Enter
passphrase (empty for no passphrase):
Enter
same passphrase again:
Your
identification has been saved in /var/www/.ssh/id_rsa.
Your
public key has been saved in /var/www/.ssh/id_rsa.pub.
The
key fingerprint is:
91:f4:85:b6:99:2a:80:a1:36:ee:88:b9:d0:36:8a:4d
apache@master.company.com
The
key's randomart image is:
+--[
RSA 2048]----+
|
. .. |
|
. . oo. |
|
. o o..+ |
|.o.
. .+ |
|o
. . S. |
|
o . . |
|=.E
. |
|**
. |
|+..
|
+-----------------+
-bash-4.1$ ssh-copy-id -i ~/.ssh/id_rsa.pub hduser@datanode
The authenticity of host 'datanode (172.16.102.139)' can't be established.
RSA
key fingerprint is cd:00:f1:b2:b1:50:e9:54:4e:ca:5f:9d:c8:ae:4e:e1.
Are
you sure you want to continue connecting (yes/no)? yes
Warning:
Permanently added 'datanode,172.16.102.139' (RSA) to the list of
known hosts.
hduser@datanode's
password:
Now
try logging into the machine, with "ssh 'hduser@datanode'",
and check in:
.ssh/authorized_keys
to
make sure we haven't added extra keys that you weren't expecting.
-bash-4.1$
3.4
Verify password less login to client by apache user
ssh
hduser@datanode.company.com
4.
Disable SELINUX
4.1
as root disable the SELINUX
echo
0 >/selinux/enforce
5.
Run cgi as apache user
5.1
Login as apache user
su
– apache
cd
/var/www/cgi-bin./runonother.cgi
it
should provide valid output with out asking for username and password
-bash-4.1$
./runonother.cgi
Content-type:
text/html
<html><head><title>RUN
ON OTHER SERVER
</title></head><body>
<h4>
current server is master.company.com </h4>
<pre>
Hostname
is datanode.company.com
...................
Loged
in users
14:52:24
up 46 min, 1 user, load average: 0.01, 0.02, 0.05
USER
TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root
pts/0 172.16.102.1 14:25 16:48 0.07s 0.03s -bash
...................
HD
space
Filesystem
Size Used Avail Use% Mounted on
/dev/mapper/vg_datanode-lv_root
18G
3.8G 13G 24% /
tmpfs
491M 0 491M 0% /dev/shm
/dev/sda1
477M 63M 385M 15% /boot
</pre>
</body></html>
6.
Run cgi from browser
You can try to implement , two way SSL , which will
provide secuirty .
No comments:
Post a Comment