Hi!
To relief the problems of accessing a unix machine from behind a
restrictive firewall or from an internet cafe I started to make a
PHP web interface to bash. I'd like to hear your opinions and
advice about my concept, especially regarding security.
There is already such a thing
(http://www.rohitab.com/cgiscripts/cgitelnet.html). However, it
lacks interactive input to programs. To fix this I'd use a frame
that displays the output of login, which turns into a shell that
will run our commands. The whole session output will be a single
http page. The input will be through a form in the small bottom
frame which will be forwarded by a PHP script through a unix
socket to the output PHP script. The output script uses
proc_open() to start login and forwards the data from the input
script through a pipe to login, bash and whatever command is
running. Data from the bash output pipe is sent to the web browser.
The input script will use stream_select() to wait for any data
from the IPC socket or the bash output pipe.
The script that defines the frames creates the socket in the file
system and pass its name to the input/output scripts via URL
parameter. It also generates a secret which the IO scripts use to
authenticate themselves in the unix socket IPC. I believe without
that any evil process could send commands to the output script.
Of course the session must be encrypted with SSL. If no SSL
certificate is bought from a certificate authority then IMO it
should be possible and secure to make a certificate and compare
its fingerprint with a copy on a small paper in a wallet.
What do you think?
Bernhard
--
Webspace; Low end Serverhousing ab 15 e, etc.: http://www.bksys.at
Linux Admin/Programmierer: http://bksys.at/bernhard/services.html
To relief the problems of accessing a unix machine from behind a
restrictive firewall or from an internet cafe I started to make a
PHP web interface to bash. I'd like to hear your opinions and
advice about my concept, especially regarding security.
There is already such a thing
(http://www.rohitab.com/cgiscripts/cgitelnet.html). However, it
lacks interactive input to programs. To fix this I'd use a frame
that displays the output of login, which turns into a shell that
will run our commands. The whole session output will be a single
http page. The input will be through a form in the small bottom
frame which will be forwarded by a PHP script through a unix
socket to the output PHP script. The output script uses
proc_open() to start login and forwards the data from the input
script through a pipe to login, bash and whatever command is
running. Data from the bash output pipe is sent to the web browser.
The input script will use stream_select() to wait for any data
from the IPC socket or the bash output pipe.
The script that defines the frames creates the socket in the file
system and pass its name to the input/output scripts via URL
parameter. It also generates a secret which the IO scripts use to
authenticate themselves in the unix socket IPC. I believe without
that any evil process could send commands to the output script.
Of course the session must be encrypted with SSL. If no SSL
certificate is bought from a certificate authority then IMO it
should be possible and secure to make a certificate and compare
its fingerprint with a copy on a small paper in a wallet.
What do you think?
Bernhard
--
Webspace; Low end Serverhousing ab 15 e, etc.: http://www.bksys.at
Linux Admin/Programmierer: http://bksys.at/bernhard/services.html
Comment