amt has asked for the wisdom of the Perl Monks concerning the following question:

Gentlemen,

I am trying to propagate FR configurations from a single machine that interfaces with a WWW form. After my perl script writes the FR configuration file, I use this propagate function to write the configuation file to other hosts. I am using RSA keys to automate the authentication of scp, and when i use scp or ssh in an interactive session, I am authenticated without problem.

Code is posted below, but when it runs, I get this error in my /var/log/httpd/error_log:
Could not create directory '/var/www/.ssh'.
Host key verification failed.
lost connection

[download]

This is the offending code:

sub propagate {
        my $config_file = shift;
        my $addr;
        my %FR_servers = ( "XX.XX.XX.XX" => 0 );      # key: address o
+f FR servs val: sucess/fail

        ####### Begin Dumb Propagate Function #######
        foreach $addr (keys %FR_servers) {
                if( system("scp $config_file $addr:/usr/local/etc/radd
+b/") == 0 ){
                        $FR_servers{$addr} = 1;                 # mark
+ for user feedback
                        print "good<br>";
                        system("ssh $addr \"$reloadcmd\"");     # relo
+ad freeradius remotely
                } else { $FR_servers{$addr} = 0; print "bad<br>"; }
        }
        ####### Finish Dumb Propagate Function #######

        ####### Draw Propagate Results #######
        $query->header();
        foreach $addr (keys %FR_servers){

                print "$_       $FR_servers{$addr}<br>";
        }

}

[download]

Thanks in advance
amt.

perlcheat

Replies are listed 'Best First'.
Re: FreeRadius Config Propagation
by fglock (Vicar) on Oct 01, 2004 at 19:36 UTC

    when i use scp or ssh in an interactive session, I am authenticated without problem.

    Are you sure the ssh keys are ok for the httpd daemon user? - it is the user that have it's home in /var/www/

[reply]
[d/l]
[select]
      I suspect not, because I am getting that error. But if I was to create that directory in /var/www/ wouldn't the directory .ssh be visable, or does the webroot begin at /var/www/html/?

      amt.

      perlcheat
[reply]
        amt - neither - I believe you're dealing with the web server userID's $HOME on the remote host (e.g. the web server document root doesn't matter).. and the .ssh dir should be a subdir of that (unless you specify otherwise). And of course that all has to be set up in advance including the authorized_keys portions..
[reply]

        .ssh is not visible by default, but you should not do that anyway - it may be exploitable. You may have better to set up a user just to handle the ssh communication.

[reply]
Re: FreeRadius Config Propagation
by hsinclai (Deacon) on Oct 01, 2004 at 19:39 UTC
    in an interactive session..
    amt do you do your interactive session as the web server user (or the whoever runs your CGI) - it sounds as if you are anyway, but, judging by the error message - the remote home dir is var/www (web server user?) so maybe you really do have a permissions problem there..

    I wonder if your config file parses correctly - if the remote $addr was wrong - you'd have this problem too I bet.

    update -- the perl code looks nice but I was wondering how you get the user to write files in /usr/local/etc/ on the remote host, or maybe you've got some special permissions set up on each remote box? -harold
[reply]
      hsinclai, I haven't got to that problem yet. The private key that I generated was as root on the machine that the script runs on. Should the key be generated as apache, and placed in /var/www/.ssh/? This is my first time with RSA keys to automate authentication.

      amt.

      perlcheat
[reply]
Re: FreeRadius Config Propagation
by Anonymous Monk on Oct 01, 2004 at 23:13 UTC
    I would start your cgi-script as "http://host/~user/cgi-bin/script". Then it would run as user. In "/home/user/.ssh" I would generate a ssh-key. If you did this, your script would try to login as user on the remote host. If that is ok interactive, it's ok from script too.
[reply]

Back to Seekers of Perl Wisdom