Using SCP from CGI

cmburns has asked for the wisdom of the Perl Monks concerning the following question:

Dear Monks!

I have a CGI script that needs to put a file on another server. This used to be done via FTP but now the target server has changed, and the new one doesn't run a ftp daemon.

Therefor I would like to use secure copy and found Net::SCP on CPAN. Just what I need... but of course it doesn't take passwords but relies on public key authentication. Ok, that's a good thing, after all you really shouldn't put those passwords into your script.

But now this script doesn't run as a normal user, but as user nobody,apache or whatever, so my question ist: Where do I put that secret key??? Or do I have to take a different approach?

Does anyone have any experience with this and could point me in the right direction?

Thanks!

Comment on Using SCP from CGI

Replies are listed 'Best First'.
Re: Using SCP from CGI by kappa (Chaplain) on May 07, 2002 at 14:29 UTC
Consider using plain old scp program, which has (at least in recent OpenSSH) special command line option (`-i`) to specify your custom identity (private or secret key).	[reply] [d/l]
Re: Re: Using SCP from CGI by cmburns (Acolyte) on May 07, 2002 at 14:45 UTC
hmm... not a bad idea. I'll look into that. Of course I have to make that private key world-readable (uh, gives me a bad feeling - but not worse than putting passwords into scripts I guess) or have it chowned. I wish I was root on that machine... thanks anyway!	[reply]
Re: Using SCP from CGI by cfreak (Chaplain) on May 07, 2002 at 16:15 UTC
Make the owner of your script someone who has very few priviledges and then run your script Set UID. On *ix just do chmod 4750 (which will make it SetUID owner, r+w+x owner,r+x group, nothing world). Then you can make the key for the user who owns the script. The only thing to remember is that SetUID automagically puts Perl in Taint mode so you'll have to check your input. But that's not so bad because you should be running CGI scripts in taint mode anyway :) Hope that helps Chris Some clever or funny quote here.	[reply]
Re: Using SCP from CGI by yodabjorn (Monk) on May 07, 2002 at 20:07 UTC
i would recomend using OpenSSH and keys in copnjunction with keychain which allows you to authenticate manually 'to the ssh-agent, and have subsequent shells become authencated. this way only pub key needs to be readable for you server user. You would have to authenticate manually once when the server starts and anytime after a restart.. i use keychain a lot for various perl automation tasks..	[reply]
Re: Using SCP from CGI by samtregar (Abbot) on May 07, 2002 at 18:54 UTC
CAVEAT: I'm a bad, bad man and you shouldn't listen to me. I have a patch for OpenSSH that lets it use .netrc files (used by FTP). This lets me call scp without providing a password and everything just works! Since I'm already foolish enough to use .netrc with FTP I don't suffer any loss of security. If you want the patch I could post it. Or you could do some similar surgery on Net::SCP. -bad bad sam	[reply]