0

I have a private key file that will be used in the following two use-cases:

  • SSH -i /path/to/private/key within terminal -- Requires 600 permission set
  • A file_get_contents() statement within PHP -- Requires more open permissions set

The file currently has permissions set at 600 to allow usage within SSH via terminal. However because of this I get a permission denied when trying to read the file within PHP.

Please can anyone suggest a viable solution, whilst maintaining good security on the key file, to enable me to use the same key file for both the aforementioned use-cases?

Edit: For clarification, I'm using PHPSecLib (as opposed to PECL's SSH2 extension), to connect to an Amazon EC2 instance within PHP. The following is a code example:

$key = new Crypt_RSA();
$key->loadKey(file_get_contents('private_key.pem'));

$ssh = new Net_SSH2('amazon-ec2-ip');
$ssh->login('ubuntu', $key); // HERRO PRIVATE KEY
Improve this question
4
  • 1
    Why in lords name do you want to be able to file_get_contents() a private ssh key? This reeks of your-doing-it-wrong... Seriously, what purpose do you have reading in the private key that you need it available for both?
    – ircmaxell
    Commented Aug 27, 2013 at 16:34
  • I guess he wants to retrieve a file via ssh/scp and PHP has some way to specify a private key to use for this. Anyway, I agree that this is a horrible idea.
    – ThiefMaster
    Commented Aug 27, 2013 at 16:38
  • Updated with clarification. I'm creating an SSH connection within PHP, and this requires a private key. It's (I assume) a valid purpose, hence why I asked for a solution that maintains good security (if there is one) :)
    – James
    Commented Aug 27, 2013 at 16:43
  • Then create a new, separate private key... Don't re-use keys for multiple purposes...
    – ircmaxell
    Commented Aug 27, 2013 at 16:44

2 Answers 2

Reset to default
2

If you were to use suPHP, you could allow the script to run under the same user for the script that owns the key.

EDIT:

Based on your clarification (and others comments), it would likely be best to generate a new key specifically for the purpose of your script and give it the permissions of your web user. It is usually best to have a new key set up per user/script.

For more information on why this is best practice, have a look at this and this link.

Improve this answer
1

If you care at all about the security of your private key, your only real option is to generate a different private key to use with the PHP script; this key would preferably be associated with a forced command on the server side, to limit the exposure resulting from the private key being compromised..

If you don't care at all about the security of your private key, you could recompile the SSH client from source so that it can be coerced into not caring about the permissions on your private key file.

And if you just don't care at all about security, period, then you could run the PHP script, and thus (presumably) the web server, under your own user account.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .