When we set up whip, our old workhorse server, a couple years ago, we disabled password based ssh logins, choosing to only allow access via public keys.  However, I occasionally needed the ability to access the system when I didn't have ready access to my private key (like when using someone else's / a public computer).  I came up with a system that would enable password-based ssh login for a period of time and then re-disable it.  This post describes that technique.  The system was actuated by a button an internal (private) web page (as described below.  On the same page, had a link to the MindTerm applet, also installed on the server.  This applet, which provides a terminal-like canvas with an ssh session, allowed me to access the server with only a java-enabled browser.

The system was run by a button press on a page.  The page was only accessible via a simple-auth challange (page served over SSL) to prevent shenanigans.  The button called a .cgi script that would, in turn, run, via sudo, anotheand r script that updated the sshd config (allowing password-based logins) and then restarted the sshd service.  This script also forked, the fork sleeping a set amount of time before restoring the original sshd config and (again) restarting sshd.  Note: all paths in these scripts (and related content) are specified with full paths for security.  (Additionally, everything is chmodded as unwritable.) It goes without saying that these paths were particular to the setup on whip...

Starting from the beginning, here's the chain.  First of all, on the SSL-loaded, simple-auth protected web page offering up the button to temporarily enable password-based ssh logins, I had the following bit of content:

<form action="sshPasswordLogin/enablePasswordSSHLogin.cgi">
<li>SSH password login enable: <input type="submit" value="Go" />
Currently: <font color="red"><!--#exec cmd="/var/www/whipAdmin/localAdmin/sshPasswordLogin/passwordLoginEnabled.sh" --></font>
</li></form>

As you can see, this form button calls the script enablePasswordSSHLogin.cgi (in the directory 'sshPasswordLogin' relative from the current directory.)  This script is here: (and attached to this entry -- see below)


Fatal error: Call to undefined function stdlib_include_text_file() in /home/toddgee_web/webroot/drupal/toddgee.com/modules/php/php.module(80) : eval()'d code on line 10