Author: apokalyptik

apokalyptikhttp://blog.apokalyptik.com/

Using PHP and OpenSSH with username/password auth

It turns out that this is actually a tricky problem. It’s super easy to use the OpenSSH command line stuff via PHP when you have key based authentication set up, but it’s not at all easy to use when you want to go the user/pass route. This is for a couple of reasons:

First you cannot specify the password on the command line. Second you cannot use the php process controls directly to give the password (well this isn’t 100% true, if you want to recompile your PHP binary with pty support then you probably could bypass everything I’m about to say and just use proc_open straight). And there’s a third reason that I’ll get to in a bit.

OpenSSH supports getting a password from an executable program via the SSH_ASKPASS environment variable — with two notable gotchas. First this only works if you also specify a DISPLAY environment variable, and second it does NOT work if the controlling process has a tty or pty.

The code below works… but if you just paste it into a script file and run it directly with php ./myscript.php it fails. Why?

function ssh_user_pass_port_forward( $hostname, $username, $password, $localport, $remotehost, $remoteport ) {
	$descriptorspec = array(
	        0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
	        1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
	        2 => array("pipe", "w")   // stderr is a file to write to
	);
	$script = tempnam( '/tmp/', 'askpass-');
	file_put_contents( 
		$script, 
		"#!/bin/bash
echo -n ".escapeshellarg( $password ) 
	);
	chmod( $script, 0755 );
	$env = array( 
		'DISPLAY' => '0', 
		'SSH_ASKPASS' => $script 
	);
	$forward = sprintf(
		"%d:%s:%d",
		$localport,
		$remotehost,
		$remoteport
	);
	$command = sprintf(
		"/usr/bin/ssh -n -o StrictHostKeyChecking=no -l %s -L %s -N %s",
		escapeshellarg( $username ),
		escapeshellarg( $forward ),
		escapeshellarg( $hostname )
	);
	return proc_open( $command, $descriptorspec, $pipes, getcwd(), $env);
}

The answer is that you are running it, and you’re running it from a shell which has a tty or pty attached, and the script inherits those and OpenSSH sees this and then ignores the SSH_ASKPASS variable completely. The trick to testing/using this code is to execute it without running it from a terminal. If you execute the command below (roughly) it looks like it hangs. but if you open another terminal you should be able to use the port forward just created.

ssh myserver.com “php /path/to/myscript.php”

This is because since you’re sshing for the sole purpose of running that command and not using a shell the system doesn’t allocate you a pty like it would normally. I’m guessing that executing it via an http request would do something similar.

Since I previously posted some hard-won advice for working with ssh2_* in php I thought I would share this equally tricky bit that I’d also figured out in the process.

Remember that there is ALWAYS more than one way to skin a problem, and every problem can be skinned with enough effort.

Again, this is itch-scratch-ware, YMMV, this is meant as a starting point on a journey to a solution and not a drop-in-works-everywhere bit of code. It’s just the hard stuff. The useful stuff is still up to you 😉

PHP SSH2 code

I’ve had a need to use the PHP SSH2 PECL recently (working on making a product, at work, more efficient) And thought I would share some of the preliminary code. You can find it here: vpssh.phps

The most interesting thing is not vpssh_core or it’s exec (though it’s good code) the really interesting thing is the vpssh_tunnel class and the accompanying examples at the top of the file. This really shows some advanced usage of ssh2_tunnel that you can’t really find anywhere else.

It’s just the beginnings of some useful code, but it’s probably a huge jumping off point for anyone seriously looking into the ssh2 pecl functionality. Oh, it also works with both password and key based authentication.

This code is less than 12 hours old, and it works for me so far, YMMV. Feedback welcome … or not… Whatever. Hope it helps someone out. And I hope it helps me out later when I need this kind of thing again.

Temporary files

Here’s a little tip. If you’re writing PHP code for a linux only environment and you need a temp file to write something to.

You can unlink the file after you use fopen() and use it to your hearts content. Linux will keep the “file” in existence for you and you can use ftruncate(), rewind(), fflush() and the like to churn it to your hearts content. When you close the filepointer linux will reclaim the space you used. With this method of operation you can be sure that your code will not accidentally leave these files laying around if, for example, the process is terminated.

Just recently I used this trick on two tempfiles in parallel, moving data back and forth between them filtering things in and out on each pass. Handy trick…

Good Bye My Friend

Saying good bye tonight was the hardest thing I’ve ever had to do. I always imagined a fight to the bitter end, but when it came down to it… I couldn’t let you suffer for my sake any longer. I loved you, Love you, Will love you always.

My dear sweet Buddy boy

My Buddy Boy… Some Bad News

Buddy has been sick off and on for a few weeks now in various forms and to various degrees. He developed this little light, rare, cough… Then a week and a half ago He was throwing up his food and we saw blood. We took him to the emergency vet and had him checked out, we had an x-ray done looking for blockages in his digestive track, there were none. We did see something in his lungs. The normal vet thought it was probably a little bronchitis or similar and advised waiting a few days to see what happened. It got worse and his breathing became labored. We got him back in for more X-Rays just this Friday, and the results suggested one of two things.

There is a very real possibility that he has cancer of some sort. There is a more slim possibility that he has a systemic fungal infection.

Of the two we’re hoping for the yeast infection (and 6-12 months of Meds.) Because of how the X-rays look and how bad shape he’s falling into so fast… If it’s cancer… It’s pretty much a death sentence. So we’re waiting for results on his blood tests to see if its a fungus. And we’ve been trying to have as many good moments with him as we have left. Moments where he’s wagging his tail. Times when he wants to play ball. Even just times when he wants to cuddle. The house is already very different. I find myself crying at random memories. He gave me a face bath on Friday night… I couldn’t help but wonder if it was going to be the last one I’d get.

He’s not even 5 years old now, and he’s been through so much. He’s had such a hard life, medically. He’s survived parvo, allergies, too many infections to count. In the end I’m not crying for him, he’s going to a better place his pains get to end now. I’m crying for me… Because I already miss my friend now and It hurts to think how much I’ll miss him when he’s gone.

There’s very little blame to be had here. We feed him the best, we take care of him as best we can, we play with him, love him.

I wish that I had something better to put here. Something funny, or insightful, or informative.

I really do.