| Re: How to etablish an SSH2 tunnel with php ? [message #177489 is a reply to message #177479] |
Mon, 02 April 2012 12:15   |
Peter H. Coffin
Messages: 245
Registered: September 2010
Karma:
|
Senior Member |
|
|
On Mon, 02 Apr 2012 08:26:19 +0200, Une B?vue wrote:
> Le 02/04/2012 03:19, Jerry Stuckle a ?crit :
>
>>
>> Does your www-data user have access to the key files? They need to be
>> readable by www-data (but you shouldn't have to create a new key for the
>> web user).
>>
>
> not for the time being :
> .-(~)-------------------------------------(yt@D620)-
> `--> lal .ssh
> total 28
> drwxr-xr-x 2 yt yt 4096 2012-01-03 17:06 .
> drwxr-xr-x 91 yt yt 4096 2012-04-02 08:11 ..
> -rw------- 1 yt yt 998 2012-02-04 09:32 authorized_keys
> -rw------- 1 yt yt 137 2012-02-07 13:09 config
> -rw------- 1 yt yt 751 2011-12-20 09:50 id_dsa
> -rw-r--r-- 1 yt yt 597 2011-12-20 09:50 id_dsa.pub
> -rw-r--r-- 1 yt yt 1548 2012-01-25 08:17 known_hosts
> .-(~)--------------------------------------(yt@D620)-
> `-->
>
> afaik, i can't let them readable by all user because otherwise ssh won't
> work (?).
That is correct. HOWEVER, authorized_keys authorizes access for ANY
public half in its lists. Which means many private keys can exist for a
single login ID, and you can create a fresh pair, for www-data, where
www-data owns the private half exclusively (in some place that is not in
$DOCROOT, but also not your own .ssh directory) for its authentication
use, just like yt owns the above id_dsa exclusively.
--
For their next act, they'll no doubt be buying a firewall running under
NT, which makes about as much sense as building a prison out of
meringue.
-- Tanuki
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]