Net::SSH::Perl security question

We have a need to allow users to submit a job through a web server
(front end machine) to run on back end cluster machines. I made use of
Net::SSH::Perl in a CGI program to realize this. One thing I notice
is that the CGI program requires a "/.ssh/known_hosts2" at the top
path of the file system on the front end machine where Apache is
running. I wonder does this potentially compromise any security on the
system? Need expert advice ...

Thanks in advance!

Joe

Re: Net::SSH::Perl security question

Joe wrote:
> We have a need to allow users to submit a job through a web server
> (front end machine) to run on back end cluster machines. I made use of
> Net::SSH::Perl in a CGI program to realize this. One thing I notice
> is that the CGI program requires a "/.ssh/known_hosts2" at the top
> path of the file system on the front end machine where Apache is
> running. I wonder does this potentially compromise any security on the
> system? Need expert advice ...

Nothing to do with perl, however, the answer to your question is "No."

For more details, read the documentation for ssh:

man ssh

or discuss in a security/ssh related newsgroup.

Also, the CGI program doesn't require it, SSH is what uses/creates it.
Furthermore, the directory should be under the username running
the Apache process, not under root ( '/' ).

Re: Net::SSH::Perl security question

On Fri, 30 Nov 2007 08:49:39 -0800, Joe wrote:

> We have a need to allow users to submit a job through a web server
> (front end machine) to run on back end cluster machines. I made use of
> Net::SSH::Perl in a CGI program to realize this. One thing I notice is
> that the CGI program requires a "/.ssh/known_hosts2" at the top path of
> the file system on the front end machine where Apache is running. I
> wonder does this potentially compromise any security on the system?
> Need expert advice ...

Just guessing but....

The CGI is probably looking for $HOME/.ssh/known_hosts2. Which means that
either the HOME variable is not filled, or the user has / as his homedir.

M4

Re: Net::SSH::Perl security question

On Nov 30, 12:28 pm, Martijn Lievaart wrote:

> The CGI is probably looking for $HOME/.ssh/known_hosts2. Which means that
> either the HOME variable is not filled, or the user has / as his homedir.
>
> M4

Thanks for the clue -- Just found out that when the web server's
account is
set to "/bin/nologin" or "/bin/false", the account's "HOME" becomes
"/".
When it's set to a shell, the home dir is properly identified.

This might be a web server question, but since we are here -- how may
I
"cheat" in the perl/CGI program in order to designate an env $HOME
variable?
(I tried a few options from within perl/CGI to "setenv" but never got
it right;
also had no luck with Google on this).

Thanks in advance,

Joe

Re: Net::SSH::Perl security question

Quoth Joe :
> On Nov 30, 12:28 pm, Martijn Lievaart wrote:
>
> > The CGI is probably looking for $HOME/.ssh/known_hosts2. Which means that
> > either the HOME variable is not filled, or the user has / as his homedir.
>
> This might be a web server question, but since we are here -- how may
> I "cheat" in the perl/CGI program in order to designate an env $HOME
> variable?

$ENV{HOME} = '...';

It might be better to do it in a BEGIN block, in case something checks
it at use time, and you can extract the correct value from /etc/passwd
(or equivalent) using User::pwent:

use User::pwent;

BEGIN { $ENV{HOME} = getpwuid($<)->dir }

Ben

Re: Net::SSH::Perl security question

On Fri, 30 Nov 2007 16:30:13 -0800, Joe wrote:

> On Nov 30, 12:28 pm, Martijn Lievaart wrote:
>
>> The CGI is probably looking for $HOME/.ssh/known_hosts2. Which means
>> that either the HOME variable is not filled, or the user has / as his
>> homedir.
>>
>> M4
>
> Thanks for the clue -- Just found out that when the web server's account
> is
> set to "/bin/nologin" or "/bin/false", the account's "HOME" becomes "/".
> When it's set to a shell, the home dir is properly identified.
>
> This might be a web server question, but since we are here -- how may I
> "cheat" in the perl/CGI program in order to designate an env $HOME
> variable?
> (I tried a few options from within perl/CGI to "setenv" but never got it
> right;
> also had no luck with Google on this).

The home directory can be set normally, probably choosing a shell gives a
suitable default. Consult your systems documentation aboud modifying
users.

HTH,
M4