2

I have a DMZ with a web server running Ubuntu 11.04 and an application server running Ubuntu 11.10. I have set things up so that I can scp from the web server to the application server by running

ssh-keygen
ssh-copy-id peter@192.168.1.6

where 192.168.1.6 is the local IP address of the app. server and peter is my login account name. However, I would like to copy the files in response to a call through a LAMP-based web site using a command in a PHP file. My problem is that the "user" of my web applications is www-data which is not a real user so I cannot create keys for it.

I tried the procedure outlined here. I then did

su
su www-data

on the web server (I guess the "server" per the Berkeley discussion). Unfortunately, I still get asked for the password when I try to scp to the application server/client.

I tried

scp -vv /var/www/Src/*.txt 192.168.1.6:/var/www/Dest

The output was much the same as when I (successfully) scp from the peter account. However, these last few lines are different.

debug1: Authentications that can continue: publickey,password
debug1: Offering DSA public key: /var/www/.ssh/id_dsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Offering ECDSA public key: /var/www/.ssh/id_ecdsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
www-data@192.168.1.6's password:

I would be most grateful if someone could tell me, or help me find, where the problem lies.

John Gardeniers
  • 27,458
  • 12
  • 55
  • 109
OtagoHarbour
  • 187
  • 3
  • 10
  • 1
    Why do you want to use that particular account? There is real danger in granting that deliberately restricted account such access. I strongly suggest you reconsider what you are trying to do. I'm sure there will be a better and safer way. – John Gardeniers Aug 25 '12 at 22:20
  • When the visitor wants to upload a set of files, they are uploaded to the web server using InAFlash. I want to then scp them to the application server. This is so there is no communication with the application server except through the web server. Some people have suggested a chron job but that way the user has to wait until the chron job runs unless it runs all the time which would really tie up resources. Thanks, Peter. – OtagoHarbour Aug 25 '12 at 22:58
  • I'd suggest using a utility to monitor the folder for changes and then having it trigger the transfer using an account set up for that one purpose. That way you get the desired results without the problems. – John Gardeniers Aug 25 '12 at 23:09
  • That seems a bit like a continuously chron job. Another problem with that is that I would like the files to be copied to the web user's own directories on the application server and sometimes make the directories for the files. – OtagoHarbour Aug 25 '12 at 23:48
  • It's not a cron job at all. There are a number of utilities which monitor folders for changes, which uses triggers supplied by the OS itself and do not run on a schedule. As for the rest, that's easily achievable with a little scripting and appropriate permissions. – John Gardeniers Aug 26 '12 at 02:11
  • Would you recommend inotify? Thanks, Peter. – OtagoHarbour Aug 26 '12 at 19:12
  • I'll leave this to those more expert in Linux than I am. I know it's possible on all operating systems but I've only done it on Windows, where I write my own utilities. – John Gardeniers Aug 26 '12 at 21:44

3 Answers3

0

Having read the link you gave: make sure you use authorized_keys, not authorized_keys2. The latter has been deprecated for years and did not work at all in some versions of OpenSSH.

The easiest way to diagnose this is with a debugging instance of the SSH server. On the server, run:

# /usr/sbin/sshd -ddep 2222

... which runs the SSH daemon in debug mode, listening on port 2222. Redo your scp command with:

$ scp -o port=2222 ...

... and see what the server says.

To John's security concerns: if you decide to continue using the www-data account, you can limit its key to only certain actions (such as transferring certain files) using a "forced command" option in authorized_keys.

Richard E. Silverman
  • 814
  • 5
  • 8
  • sshd could not be found on my server. "scp -o port=222 /var/www/Src/*.txt 192.168.1.6:/var/www/Dst" resulted in "ssh: connect to host 192.168.1.10 port 2222: Connection refused". I tried entering "sudo iptables -A INPUT -p tcp --dport 222 -j ACCEPT" on the application (destination server). No error messages but it did not fix the problem. The connection was still refused. Thanks, Peter. – OtagoHarbour Aug 26 '12 at 19:16
0

You said you have tried

    scp -vv /var/www/Src/*.txt 192.168.1.6:/var/www/Dest

But the key you would like to use does not appear anywhere. Try:

    scp -vvv -i /path/to/private/key /var/www/Src/*.txt 192.168.1.6:/var/www/Dest

Anyway, you should make sure your connection is restricted to this specific command. I am not sure SCP provide ways to restrict command (such as forced command with SSH). I would then instead use SSH overs rsync to make sure only a rsync command would be launched. This provides basically the same service as scp but your key then can be tagged with a force command which may be safer.

philippe
  • 2,303
  • 4
  • 32
  • 53
  • If I use the 3 "v"s -vvv I get "debug1: connect to address 192.168.1.6 port 22: No route to host". Thanks, Peter – OtagoHarbour Aug 26 '12 at 22:17
  • Then this is not a problem with SSH but with the network itself. If you run `route -n`, is your SSH server included in any subnets? Or is it reachable by your default gateway? Otherwise, there is no route to your server from your client. No protocol would allow any communication, try to ping to realize it. – philippe Aug 26 '12 at 22:49
  • I can ping to it and also scp as peter but not as www-data. Thanks, Peter. – OtagoHarbour Sep 01 '12 at 02:07
0

I used inotify to implement the method John Gardeniers suggested. It was easy and it now works fine. I just wrote a C++ application that does the scp when a file in the directory is modified as can be done from the PHP code. Works fine.

Thanks,
Peter

OtagoHarbour
  • 187
  • 3
  • 10