1

at the VPS ssh i put:

    admin@bpm3i:~$ ssh -vT [email protected]
OpenSSH_5.9p1 Debian-5ubuntu1.4, OpenSSL 1.0.1 14 Mar 2012
debug1: Reading configuration data /home/admin/.ssh/config
debug1: /home/admin/.ssh/config line 1: Applying options for bitbucket.org
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to bitbucket.org [131.103.20.168] port 22.
debug1: Connection established.
debug1: identity file /home/admin/ssh/id_rsa type -1
debug1: identity file /home/admin/ssh/id_rsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40
debug1: Host 'bitbucket.org' is known and matches the RSA host key.
debug1: Found key in /home/admin/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/admin/.ssh/id_rsa
debug1: Remote: Forced command: conq username:workquality
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: Remote: Forced command: conq username:workquality
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
debug1: Authentication succeeded (publickey).
Authenticated to bitbucket.org ([131.103.20.168]:22).
debug1: channel 0: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
logged in as workquality.

You can use git or hg to connect to Bitbucket. Shell access is disabled.
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype [email protected] reply 0
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 2752, received 2888 bytes, in 0.3 seconds
Bytes per second: sent 10079.8, received 10577.9
debug1: Exit status 0

And everything is fine

I make the same on a PHP CLI

    admin@bpm3i:~$ php -a
Interactive shell

php > echo exec('ssh -vT [email protected]');
OpenSSH_5.9p1 Debian-5ubuntu1.4, OpenSSL 1.0.1 14 Mar 2012
debug1: Reading configuration data /home/admin/.ssh/config
debug1: /home/admin/.ssh/config line 1: Applying options for bitbucket.org
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to bitbucket.org [131.103.20.167] port 22.
debug1: Connection established.
debug1: identity file /home/admin/ssh/id_rsa type -1
debug1: identity file /home/admin/ssh/id_rsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40
debug1: Host 'bitbucket.org' is known and matches the RSA host key.
debug1: Found key in /home/admin/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/admin/.ssh/id_rsa
debug1: Remote: Forced command: conq username:workquality
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: Remote: Forced command: conq username:workquality
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
debug1: Authentication succeeded (publickey).
Authenticated to bitbucket.org ([131.103.20.167]:22).
debug1: channel 0: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype [email protected] reply 0
debug1: channel 0: free: client-session, nchannels 1
debug1: fd 1 clearing O_NONBLOCK
Transferred: sent 2752, received 2888 bytes, in 0.3 seconds
Bytes per second: sent 10205.4, received 10709.8
debug1: Exit status 0
You can use git or hg to connect to Bitbucket. Shell access is disabled.

Looks good

and Then on a PHP CGI (apache):

<?php echo exec("ssh -vT [email protected] 2>&1");?>

And i get: Permission denied (publickey).

before that, i do:

I Loogin as 'admin' and generate ssh-key,

verify the user:

exec('whoami'); //admin
exec('echo ~'.$user); // /home/admin

I dont know what is wrong with it. OK on SSH, PHP-CLI, but on a webserver dont work, please help. Thanks!

Improve this question

2 Answers 2

Reset to default
0

The apache user (www-data) doesn't have read access to the file which contains your user's ssh key, so it is not able to execute the command as linux is trying to execute it with user www-data with the CGI.

As for the exec('whoami'); and exec('echo ~'.$user); commands, I think you are currently running them directly, try running them from within a PHP file and execute it via the webserver and you should definitely see a different user.

So, instead generate a ssh key for the apache user as mentioned here (Check other answers as well)

sudo -u apache ssh-keygen -t rsa

And add the public key with a readonly access on your bitbucket account.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I generate two ssh-keys, one for admin and other for www-data (apache user) and i put those in the bitbucket user SETTINGS and it works! Thanks for you reply
0

This is because ssh will try find you ssh key by default in your home directory, in admin's home directory.

When you execute it via apache, the script runs with a home directory far from admin. While you can pass the path to the key via commandline ssh -i /path/to/key it would be very insecure to give apache read access to the key of admin.

I would create a separate ssh key and use it only for bitbucket - read access. Then place it into a folder accessible by apache - but not browsable over the web.

You can now use the following shell_exec() call to test the connection:

<?php echo shell_exec("ssh -i /path/to/key -vT [email protected] 2>&1");?>
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.