I acquired a python script that will either telnet to some equipment, or if the equipment is in a lab, ssh to a firewall machine and then it will telnet to the equipment, and run a command, returning the output for more processing.
I took this script and tied it into a Django web app so that I could, from a browser, fill out a form with the target system info and have it display the results. If I start up this web app from the command line, and then access it from the browser (python manage.py app), everything works fine.
However, if I set this up to run in "production" mode, using a virtual host with Apache, the SSH fails. I suspect that this is running under root or some web account and cannot SSH to the firewall.
Can someone suggest how I get this to work? I don't have any privileges on the firewall machine, so I can't setup SSH to run under some web account.
Would I need to collect username and password from the user, in the case where SSH is used, and then pass it to ssh, or are there other ways to get the telnet info and command through to the equipment?
You're close. The problem here is probably that your web server runs as a non-privileged user (NOT root), like www
or www-data
or nobody
(depending on your operating system). While that user can probably run the SSH binary, when doing so as nobody
, it probably doesn't have a home directory, can't find your .ssh directory, and can't find the key file (.ssh/id_rsa
for example) that it needs to use for authentication.
You have a number of options. Make your private key available to the web server software, then launch ssh with the -i
option to select an identity file. Or do this in an SSH config file that you specify with the -F
option. Or launch ssh using sudo
, and give your web server software the ability to run ssh as some other (shell) user.
I can't provide a more specific answer because you haven't provided specifics in your question. Operating system, sample code, etc.
Hope this helps.
Oh, and you should also consider NOT doing this, and finding some other solution. A web application, even an internal one, that has SSH access to your firewall? Sounds like a recipe for eventual disaster to me. :-)