1
votes

I am trying to ssh to another machine using Perl CGI script and I am executing the script on a remote machine. I am facing the issue.

Note: I am calling below command in Perl CGI Script: Below is just code snippet which is not working as expected i.e it is not executing the script in remote system.

This is just Code Snipped in heap.pl (This is the code from Perf CGI Script). I am using backtick () for executing system commands in Perl Script

 `rm -rf /home/noc/.ssh/known_hosts ;ssh -i /home/noc/.ssh/noc_offshore_key -vvv -o LogLevel=DEBUG3 -o StrictHostKeyChecking=no -o BatchMode=yes -o ConnectTimeout=5 noc\@10.208.9.88 "sh /tmp/jetty_change.sh 4020 4678 accservice"`;

Error in apache Error Log:

[Sat Jan 20 01:44:33.369848 2018] [cgi:error] [pid 7722] [client 183.82.99.86:43419] AH01215: rm: cannot remove '/home/noc/.ssh/known_hosts': Permission denied, referer: http://10.208.8.27/heapmemory.html
[Sat Jan 20 01:44:33.375508 2018] [cgi:error] [pid 7722] [client 183.82.99.86:43419] AH01215: Warning: Identity file /home/noc/.ssh/noc_offshore_key not accessible: Permission denied., referer: http://10.208.8.27/heapmemory.html
[Sat Jan 20 01:44:33.376656 2018] [cgi:error] [pid 7722] [client 183.82.99.86:43419] AH01215: OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017\r, referer: http://10.208.8.27/heapmemory.html
[Sat Jan 20 01:44:33.376702 2018] [cgi:error] [pid 7722] [client 183.82.99.86:43419] AH01215: debug1: Reading configuration data /etc/ssh/ssh_config\r, referer: http://10.208.8.27/heapmemory.html
[Sat Jan 20 01:44:33.376745 2018] [cgi:error] [pid 7722] [client 183.82.99.86:43419] AH01215: debug1: /etc/ssh/ssh_config line 56: Applying options for *\r, referer: http://10.208.8.27/heapmemory.html
[Sat Jan 20 01:44:33.376981 2018] [cgi:error] [pid 7722] [client 183.82.99.86:43419] AH01215: debug2: resolving "10.208.9.88" port 22\r, referer: http://10.208.8.27/heapmemory.html
[Sat Jan 20 01:44:33.377000 2018] [cgi:error] [pid 7722] [client 183.82.99.86:43419] AH01215: debug2: ssh_connect_direct: needpriv 0\r, referer: http://10.208.8.27/heapmemory.html
[Sat Jan 20 01:44:33.377016 2018] [cgi:error] [pid 7722] [client 183.82.99.86:43419] AH01215: debug1: Connecting to 10.208.9.88 [10.208.9.88] port 22.\r, referer: http://10.208.8.27/heapmemory.html
[Sat Jan 20 01:44:33.377362 2018] [cgi:error] [pid 7722] [client 183.82.99.86:43419] AH01215: debug2: fd 3 setting O_NONBLOCK\r, referer: http://10.208.8.27/heapmemory.html
[Sat Jan 20 01:44:33.377495 2018] [cgi:error] [pid 7722] [client 183.82.99.86:43419] AH01215: debug1: connect to address 10.208.9.88 port 22: Permission denied\r, referer: http://10.208.8.27/heapmemory.html
[Sat Jan 20 01:44:33.377518 2018] [cgi:error] [pid 7722] [client 183.82.99.86:43419] AH01215: ssh: connect to host 10.208.9.88 port 22: Permission denied\r, referer: http://10.208.8.27/heapmemory.html

Note: When i execute the same command as NOC user it is working fine and i see that it is working as expected. So we can safely assume that permissions and key is correct

Permissions of file and ownership details

[noc@noc-automation tmp]$ ls -lrt /home/noc/.ssh/noc_offshore_key
-rw-------. 1 noc noc 1675 Jan 18 15:06 /home/noc/.ssh/noc_offshore_key

[noc@noc-automation cgi-bin]$ ls -lrt /var/www/cgi-bin/heap.pl 
-rwxrwxr-x. 1 noc noc 1137 Jan 20 01:44 /var/www/cgi-bin/heap.pl

Manually executing same command works, below is the Output. So we can safely assume that Keys and permissions are correct

[noc@noc-automation tmp]$ rm -rf /home/noc/.ssh/known_hosts ;ssh -i /home/noc/.ssh/noc_offshore_key -vvv -o LogLevel=DEBUG3 -o StrictHostKeyChecking=no -o BatchMode=yes -o ConnectTimeout=5 [email protected] "sh /tmp/jetty_change.sh 2000 2001 accservice"
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug2: resolving "10.208.9.88" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 10.208.9.88 [10.208.9.88] port 22.
debug2: fd 3 setting O_NONBLOCK
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug3: timeout: 4999 ms remain after connect
debug1: key_load_public: No such file or directory
debug1: identity file /home/noc/.ssh/noc_offshore_key type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/noc/.ssh/noc_offshore_key-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 10.208.9.88:22 as 'noc'
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c
debug2: host key algorithms: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,aes192-cbc,aes256-cbc
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,aes192-cbc,aes256-cbc
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected],zlib
debug2: compression stoc: none,[email protected],zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr
debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected]
debug2: compression stoc: none,[email protected]
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: aes128-ctr MAC: [email protected] compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: [email protected] compression: none
debug1: kex: curve25519-sha256 need=16 dh_need=16
debug1: kex: curve25519-sha256 need=16 dh_need=16
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:QavXuYKfJLVm+oEiYiX+wQPcy5q5RvZ7Uki560dzg0c
Warning: Permanently added '10.208.9.88' (ECDSA) to the list of known hosts.
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 4294967296 blocks
debug2: key: /home/noc/.ssh/noc_offshore_key ((nil)), explicit
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 53
debug3: input_userauth_banner
################################################################################
#                                                                              #
# UNAUTHORIZED ACCESS TO THIS SYSTEM IS PROHIBITED. ACTIVITY MAY BE LOGGED AND #
# MONITORED.  USE IS FOR AUTHORIZED BUSINESS PURPOSES ONLY.  VIOLATORS OF THIS #
# POLICY ARE SUBJECT TO DISCIPLINARY ACTION UP TO AND INCLUDING LEGAL ACTION.  #
#                                                                              #
################################################################################
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey
debug3: authmethod_lookup publickey
debug3: remaining preferred: ,gssapi-with-mic,publickey
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/noc/.ssh/noc_offshore_key
debug3: sign_and_send_pubkey: RSA SHA256:blgxJvtpeU6gpkzAO6hRXG9DIHzMfPGajptL8OAUs7E
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 52
debug1: Authentication succeeded (publickey).
Authenticated to 10.208.9.88 ([10.208.9.88]:22).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Requesting [email protected]
debug3: send packet: type 80
debug1: Entering interactive session.
debug1: pledge: network
debug3: receive packet: type 80
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug3: receive packet: type 91
debug2: callback start
debug2: fd 3 setting TCP_NODELAY
debug3: ssh_packet_set_tos: set IP_TOS 0x08
debug2: client_session2_setup: id 0
debug1: Sending environment.
debug3: Ignored env XDG_SESSION_ID
debug3: Ignored env HOSTNAME
debug3: Ignored env SELINUX_ROLE_REQUESTED
debug3: Ignored env TERM
debug3: Ignored env SHELL
debug3: Ignored env HISTSIZE
debug3: Ignored env SSH_CLIENT
debug3: Ignored env SELINUX_USE_CURRENT_RANGE
debug3: Ignored env SSH_TTY
debug3: Ignored env USER
debug3: Ignored env LS_COLORS
debug3: Ignored env MAIL
debug3: Ignored env PATH
debug3: Ignored env PWD
debug1: Sending env LANG = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: send packet: type 98
debug3: Ignored env SELINUX_LEVEL_REQUESTED
debug3: Ignored env HISTCONTROL
debug3: Ignored env SHLVL
debug3: Ignored env HOME
debug3: Ignored env LOGNAME
debug3: Ignored env SSH_CONNECTION
debug3: Ignored env LESSOPEN
debug3: Ignored env XDG_RUNTIME_DIR
debug3: Ignored env _
debug3: Ignored env OLDPWD
debug1: Sending command: sh /tmp/jetty_change.sh 2000 2001 accservice
debug2: channel 0: request exec confirm 1
debug3: send packet: type 98
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel 0: rcvd adjust 2097152
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: exec request accepted on channel 0
2000 2001 accservice JAVA_OPTS="${JAVA_OPTS} -Xms2000m -Xmx2001m"
accservice
debug3: receive packet: type 98
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug3: receive packet: type 98
debug1: client_input_channel_req: channel 0 rtype [email protected] reply 0
debug2: channel 0: rcvd eow
debug2: channel 0: close_read
debug2: channel 0: input open -> closed
debug3: receive packet: type 96
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug2: channel 0: obuf empty
debug2: channel 0: close_write
debug2: channel 0: output drain -> closed
debug3: receive packet: type 97
debug2: channel 0: rcvd close
debug3: channel 0: will not send data after close
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug3: send packet: type 97
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
  #0 client-session (t4 r0 i3/0 o3/0 fd -1/-1 cc -1)

debug3: send packet: type 1
Transferred: sent 2572, received 2820 bytes, in 2.9 seconds
Bytes per second: sent 888.1, received 973.8
debug1: Exit status 0

Note: This script is involved by Perl CGI and apache is running as noc user only

[noc@noc-automation tmp]$ ps -ef|grep httpd|grep -v grep
noc       1925  2637  0 Jan19 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
noc       2143  2637  0 Jan19 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
noc       2229  2637  0 Jan19 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
root      2637     1  0 Jan18 ?        00:00:09 /usr/sbin/httpd -DFOREGROUND
noc       4681  2637  0 Jan19 ?        00:00:01 /usr/sbin/httpd -DFOREGROUND
noc       6878  2637  0 Jan18 ?        00:00:01 /usr/sbin/httpd -DFOREGROUND
noc       7722  2637  0 00:31 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
noc      12575  2637  0 Jan18 ?        00:00:01 /usr/sbin/httpd -DFOREGROUND
noc      20192  2637  0 Jan18 ?        00:00:01 /usr/sbin/httpd -DFOREGROUND
noc      23163  2637  0 Jan19 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
noc      25275  2637  0 Jan19 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND

I am running this script in RHEL7 OS

Can you please check and help me why from Perl CGI, script is not getting executed in remote system?

1
Could you try creating a dummy cgi script that just sleeps, hit that page, and make sure that it gets run by the noc user?xxfelixxx
Are you running cgi with suexec? httpd.apache.org/docs/2.4/suexec.htmlxxfelixxx
I am running this script in RHEL7Prateek
Are you using SELinux as well?xxfelixxx
Thank you @xxfelixxx, I have disabled SElinux and it started working.Prateek

1 Answers

0
votes

try disabling SELINUX and check this again. It should work