2

If you have a simple answer to this question, spare yourself to read the following, I'm interested in a solution of my requirement.

Purpose is to securely redirect (finally specific) uploads from a serverA to another serverB automatically. On the client there is an upload-form ( <form class="dropzone" enctype="multipart/form-data" action="upload.php" method="POST"> ...), which calls upload.php on the serverA. The upload to serverA works fine. On serverA is a script that shall transfer the uploaded file to serverB, triggered by upload.php (without me as user being logged in to serverA!).

Here I state what I have done, if you think this might be a practical path (where I didn't find the end)...

upload.php:

<?php
$uploaddir = './uploads/';
$uploadfile = $uploaddir . basename($_FILES['file']['name']);
echo '<pre>';
if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) {
        echo "File is valid, and was successfully uploaded to A.\n";
        echo "Now: call of scp-up.sh $uploadfile :\n\n";
        echo (shell_exec("./scp-up.sh $uploadfile"));
} else {
        echo "Upload to server A failed\n";
}
echo "Debug info of upload.php:\n";
print_r($_FILES);
echo '</pre>';
?>

This works fine and files are properly stored in the uploads-directoy of serverA.
Now the script scp-up.sh is called, for the transfer to serverB:

scp-up.sh:

#!/bin/bash
echo "scp $1"
scp -v -B -i ./.ssh/id_rsa -o IdentitiesOnly=yes -o KexAlgorithms=ecdh-sha2-nistp256 $1 ssh-userb@serverb.kasserver.com:/www/htdocs/web/uploads/ 2>&1

When I'm logged in and use that script with a filename, it works.
But not when it's left alone.

First I tried without the -o options, which brought "Host key verification failed" in an early state, and an id_rsa-cert.pub was missing. So I generated a new pair of keys ssh-keygen -f ca_key and made that cert by ssh-keygen -s ca_key -I server-b -h -n serverb.kasserver.com ./id_rsa.pub .

Now I have these files

-rwx------ 1 ssh-usera usera 1679 Aug 16 18:23 ca_key
-rwx------ 1 ssh-usera usera  402 Aug 16 18:23 ca_key.pub
-rwx------ 1 ssh-usera usera 1679 Aug 16 17:45 id_rsa
-rwx------ 1 ssh-usera usera 1375 Aug 16 18:35 id_rsa-cert.pub
-rwx------ 1 ssh-usera usera  402 Aug 16 18:03 id_rsa.pub
-rwx------ 1 ssh-usera usera  444 Aug 16 17:45 known_hosts

as you can see: all chmodded as 700.

Result: the cert is no longer missing, "Host key verification failed" now comes in a late state.

Here is the output:

File is valid, and was successfully uploaded to A.
Now: call of scp-up.sh ./uploads/ACT_0180.jpg :

scp ./uploads/ACT_0180.jpg
Executing: program /usr/bin/ssh host serverb.kasserver.com, user ssh-userb, command scp -v -t /www/htdocs/userb/web/uploads/
OpenSSH_7.2p2 Ubuntu-4ubuntu2.10, OpenSSL 1.0.2g  1 Mar 2016
debug1: Connecting to serverb.kasserver.com [85.13.888.999] port 22.
debug1: Connection established.
debug1: identity file ./.ssh/id_rsa type 1
debug1: identity file ./.ssh/id_rsa-cert type 5
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.10
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.10
debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.10 pat OpenSSH* compat 0x04000000
debug1: Authenticating to serverb.kasserver.com:22 as 'ssh-userb'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: ecdh-sha2-nistp256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC:  compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC:  compression: none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:DXdT/AyN2+QYF2P7/ZFP9P4JsHlGrCCTBOx1zmDaSy8
Host key verification failed.
lost connection

Debug info of upload.php:
Array
(
    [file] => Array
        (
            [name] => ACT_0180.jpg
            [type] => image/jpeg
            [tmp_name] => /tmp/phpanRmnx
            [error] => 0
            [size] => 621562
        )

)

For comparison: here is the output of the successful done script, when I am logged in:
https://pastebin.com/raw/p5JAT9FC

(I tried to use -o KexAlgorithms=ecdsa-sha2-nistp256 in the scp-command, but this fails at once.)

Clearly spoken, I didn't quite understand the cert-concept, so parts of that could be missing. In this respect I'm only asking for help if this path (scp with keys and cert) is a good one. If you know a more simple aproach to reach the goal, I'm rather interested in learning about that!

Any idea?

Since there're A LOT of possibilities for the laymen, I would appreciate very much anwers that rely on knowledge and/or experience, not on assumptions...

Thank you very much in advance!

NicolasK
  • 31
  • 5
  • 1
    Looks like you need full/absolute path to a key file instead of this `./.ssh/id_rsa` – Ivan Aug 17 '20 at 11:59
  • It looks like you ran the command as root in your successful example. How about the unsuccessful case? What user is the command running as then? – Kenster Aug 17 '20 at 12:45
  • @Ivan: I 1st tried with absolute paths, but the script -- when called by a web-request -- seemed not to have access to that. sth. like "no such file" was the answer. – NicolasK Aug 17 '20 at 15:30
  • @Kenster: this is on a normal web-hosting-space on all-inkl, I have no root there. And what the user of the script is? I don't know.. – NicolasK Aug 17 '20 at 15:32

0 Answers0