SSH connections with PHP

Question

I'm currently working on a project to make changes to the system with PHP (e.g. change the config file of Nginx / restarting services).

The PHP scripts are running on localhost. In my opinion the best (read: most secure) way is to use SSH to make a connection. I considering one of the following options:

Option 1: store username / password in php session and prompt for sudo

Using phpseclib with a username / password, save these values in a php session and prompt for sudo for every command.

Option 2: use root login

Using phpseclib with the root username and password in the login script. In this case you don't have to ask the user for sudo. (not really a safe solution)

<?php
include('Net/SSH2.php');

$ssh = new Net_SSH2('www.domain.tld');
if (!$ssh->login('root', 'root-password')) {
    exit('Login Failed');
}
?>

Option 3: Authenticate using a public key read from a file

Use the PHP SSHlib with a public key to authenticate and place the pubkey outside the www root.

<?php

    $connection = ssh2_connect('shell.example.com', 22, array('hostkey' => 'ssh-rsa'));
    if (ssh2_auth_pubkey_file($connection, 'username', '/home/username/.ssh/id_rsa.pub', '/home/username/.ssh/id_rsa', 'secret')) {
        echo "Public Key Authentication Successful\n";
    } else {
        die('Public Key Authentication Failed');
    }
?>

Option 4: ?

Answer 1

I suggest you to do this in 3 simple steps:

First. Create another user (for example runner) and make your sensitive data (like user/pass, private key, etc) accessible just for this user. In other words deny your php code to have any access to these data.

Second. After that create a simple blocking fifo pipe and grant write access to your php user.

Last. And finally write a simple daemon to read lines from the fifo and execute it for example by ssh command. Run this daemon with runner user.

To execute a command you just need to write your command in the file (fifo pipe). Outputs could be redirected in another pipe or some simple files if needed.

to make fifo use this simple command:

mkfifo "FIFONAME"

The runner daemon would be a simple bash script like this:

#!/bin/bash
while [ 1 ]
do
    cmd=$(cat FIFONAME | ( read cmd ; echo $cmd ) )
    # Validate the command
    ssh 192.168.0.1 "$cmd"
done

After this you can trust your code, if your php code completely hacked, your upstream server is secure yet. In such case, attacker could not access your sensitive data at all. He can send commands to your runner daemon, but if you validate the command properly, there's no worry.

:-)