Power By 专否社区

need to ssh to remote machine from web page with python/django

Go To StackoverFlow.com

-1

I acquired a python script that will either telnet to some equipment, or if the equipment is in a lab, ssh to a firewall machine and then it will telnet to the equipment, and run a command, returning the output for more processing.

I took this script and tied it into a Django web app so that I could, from a browser, fill out a form with the target system info and have it display the results. If I start up this web app from the command line, and then access it from the browser (python manage.py app), everything works fine.

However, if I set this up to run in "production" mode, using a virtual host with Apache, the SSH fails. I suspect that this is running under root or some web account and cannot SSH to the firewall.

Can someone suggest how I get this to work? I don't have any privileges on the firewall machine, so I can't setup SSH to run under some web account.

Would I need to collect username and password from the user, in the case where SSH is used, and then pass it to ssh, or are there other ways to get the telnet info and command through to the equipment?

2012-04-03 23:09
by pcm
This is much too vague for SO. Work up an SSCCE and post the code. You might also read the [FAQ] and [ask] - Jim Garrison 2012-04-03 23:11
Understood. I haven't posted here very much, and this is somewhat involved. Essentially I have a script that SSHes to another box. The script works, and it works, when I use it in a Django web app (which I'm just starting to learn about), via "python manage.py myapp". If I setup mod_python on Apache and try to invoke the same script, using the same web app, I get a failure telneting via shh to another host (I'm trying to do some logging so I can better see the error). The other answer may bear some fruit - pcm 2012-04-04 23:07

1

You're close. The problem here is probably that your web server runs as a non-privileged user (NOT root), like www or www-data or nobody (depending on your operating system). While that user can probably run the SSH binary, when doing so as nobody, it probably doesn't have a home directory, can't find your .ssh directory, and can't find the key file (.ssh/id_rsa for example) that it needs to use for authentication.

You have a number of options. Make your private key available to the web server software, then launch ssh with the -i option to select an identity file. Or do this in an SSH config file that you specify with the -F option. Or launch ssh using sudo, and give your web server software the ability to run ssh as some other (shell) user.

I can't provide a more specific answer because you haven't provided specifics in your question. Operating system, sample code, etc.

Hope this helps.

Oh, and you should also consider NOT doing this, and finding some other solution. A web application, even an internal one, that has SSH access to your firewall? Sounds like a recipe for eventual disaster to me. :-)

2012-04-04 00:14
by ghoti
Thanks for the kind ideas. Right now, the OS is Ubuntu 10.10, running in a VM (VMWare). The firewall, is for a lab, mostly so lab traffic doesn't blast out the corporate network. As such, in this case, I can't telnet to the equipment in the lab and have to go through a host on that is dual homed. Easiest is this firewall box, but I could use other Linux boxes as well - pcm 2012-04-04 22:57
If I understand correctly, then, I have the script invoke ssh specifying my user account and identity? I'm reusing code from someone for the ssh/telnet, so I need to dig into it some and see how to make this work - pcm 2012-04-04 23:02
Solution was to use ssh with the -i option, and create a passwordless key pair, so that this can be invoked by www-data account. Thanks ghoti - pcm 2012-04-10 23:16
Ads