Best way to replace sshd?

[ppbrown]

I would ask this through forum or something, but dont see anything like that available. Was wondering about the best way to close off a server to everything but https traffic, and then allow "login" via webconsole over https, instead of also running externally visible sshd

To be precise: rather than prompt for a "username and password" that is embedded in the script, prompt for actual unix level username and password.. and then give a tty session as THAT user, rather than the web user.

Maybe this could be added to the FAQ?

[ridyanto]

I would ask this through forum or something, but dont see anything like that available. Was wondering about the best way to close off a server to everything but https traffic, and then allow "login" via webconsole over https, instead of also running externally visible sshd

To be precise: rather than prompt for a "username and password" that is embedded in the script, prompt for actual unix level username and password.. and then give a tty session as THAT user, rather than the web user.

Maybe this could be added to the FAQ?

do you have the answers?

[GwynethLlewelyn]

Since the webconsole.php runs as the web user, I'm pretty sure that you cannot switch to any other user — unless (not tested!) you configure your web server to run PHP scripts as root, which you should never do!

The FAQ explains a tricky way to accomplish running as root from the opened shell, assuming that the web server's user is part of the sudoers group (another very dangerous thing to do, but...).

@ppbrown, if you have access via WebConsole to the /etc/shadow file, you can receive the password, go through the required steps to produce the hash (e.g. checking for the hashing algorithm and the salt), and compare the result with what's stored on /etc/shadow. If it matches, then that user is authenticated!

Alas, most web server configurations will prevent access to /etc/shadow. However, if you have a configuration that does allow it, you can try to follow the instructions posted here: https://stackoverflow.com/questions/1459682/check-unix-username-and-password-in-a-shellscript/1459778#1459778

Another source for some explanations: https://ubuntuforums.org/archive/index.php/t-1232715.html

One possibility seems to be to use PAM authentication from within PHP, as discussed on this old thread in StackOverflow. It refers to a PECL extension, PAM. If you have the possibility to install it, it's worth a try (it's being kept up to date!); there are plenty of guides around there, some old, some new (a few links are provided in the StackOverflow thread; most are gone, but not all).