Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Best way to replace sshd? #53

Open
ppbrown opened this issue Nov 5, 2019 · 2 comments
Open

Best way to replace sshd? #53

ppbrown opened this issue Nov 5, 2019 · 2 comments

Comments

@ppbrown
Copy link

ppbrown commented Nov 5, 2019

I would ask this through forum or something, but dont see anything like that available.
Was wondering about the best way to close off a server to everything but https traffic, and then allow "login" via webconsole over https, instead of also running externally visible sshd

To be precise: rather than prompt for a "username and password" that is embedded in the script, prompt for actual unix level username and password.. and then give a tty session as THAT user, rather than the web user.

Maybe this could be added to the FAQ?
@ridyanto
Copy link

I would ask this through forum or something, but dont see anything like that available.
Was wondering about the best way to close off a server to everything but https traffic, and then allow "login" via webconsole over https, instead of also running externally visible sshd

To be precise: rather than prompt for a "username and password" that is embedded in the script, prompt for actual unix level username and password.. and then give a tty session as THAT user, rather than the web user.

Maybe this could be added to the FAQ?

do you have the answers?

@GwynethLlewelyn
Copy link

Since the webconsole.php runs as the web user, I'm pretty sure that you cannot switch to any other user — unless (not tested!) you configure your web server to run PHP scripts as root, which you should never do!

The FAQ explains a tricky way to accomplish running as root from the opened shell, assuming that the web server's user is part of the sudoers group (another very dangerous thing to do, but...).

@ppbrown, if you have access via WebConsole to the /etc/shadow file, you can receive the password, go through the required steps to produce the hash (e.g. checking for the hashing algorithm and the salt), and compare the result with what's stored on /etc/shadow. If it matches, then that user is authenticated!

Alas, most web server configurations will prevent access to /etc/shadow. However, if you have a configuration that does allow it, you can try to follow the instructions posted here: https://stackoverflow.com/questions/1459682/check-unix-username-and-password-in-a-shellscript/1459778#1459778

Another source for some explanations: https://ubuntuforums.org/archive/index.php/t-1232715.html

One possibility seems to be to use PAM authentication from within PHP, as discussed on this old thread in StackOverflow. It refers to a PECL extension, PAM. If you have the possibility to install it, it's worth a try (it's being kept up to date!); there are plenty of guides around there, some old, some new (a few links are provided in the StackOverflow thread; most are gone, but not all).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@GwynethLlewelyn @ppbrown @ridyanto