This is a small web automation project I created to execute remote Linux command through web server. The web language I used in this project is PHP (It is little similar to PowerShell so I was able to grasp it quickly and code the way I want).
Using this tool users without having access to Linux server or without sharing credentials/Password, they can check information or you can enforce them to execute command they want on remote Linux. Here is the example of web page. You need to provide your Domain username and password and the remote Linux server host or IP and it will execute uptime command.
Download this PHP_SSH_LDAP.zip project here or it is also available on github.com.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 |
<?php // Start the session session_start(); ?> <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>AD Authentication and SSH</title> <!-- Bootstrap CSS --> <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css"> <!-- Bootstrap Icons CSS --> <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap-icons/font/bootstrap-icons.css"> <style> .centerimg { display: block; margin-left: auto; margin-right: auto; width: 10%; } </style> </head> <body> <div class="container custom-container"> <div class="card"> <div class="card-body"> <img class="centerimg" src="loremlogo.jpg" alt="loremlogo"> <!-- Image above the text --> <?php // LDAP server settings $ldapServer = '192.168.34.11'; //'ldap.vcloud-lab.com'; $ldapPort = 389; // Default LDAP port //Encrypt SSH Password //[guid]::NewGuid() //C:\xampp\php> php -r "$key = 'dce45e93-c278-4727-bad2-95df27cfbbf0'; $iv = openssl_random_pseudo_bytes(openssl_cipher_iv_length('aes-256-cbc')); echo base64_encode(openssl_encrypt('Computer@123', 'aes-256-cbc', $key, OPENSSL_RAW_DATA, $iv)) . ':::' . base64_encode($iv);" // Decrypt SSH Password // Encrypted data and IV received from the client from above command $encryptedDataWithIV = 'LPUKPDQEs3wUewq6OCweZA==:::lXZQ8KFkLa8nTkdLbDrjJw=='; // Separate the encrypted data and IV list($encryptedData, $iv) = explode(':::', $encryptedDataWithIV); // Load the encryption key securely from a file or environment variable $key = file_get_contents('extras/key'); // Example: 'dce45e93-c278-4727-bad2-95df27cfbbf0' //path/to/secure/key // Decode the IV and the encrypted data from base64 $decodedIV = base64_decode($iv); $decodedEncryptedData = base64_decode($encryptedData); // Decrypt the data using openssl_decrypt $decryptedData = openssl_decrypt($decodedEncryptedData, 'aes-256-cbc', $key, OPENSSL_RAW_DATA, $decodedIV); //echo $decryptedData; // SSH server settings $sshUsername = 'ubuntu'; //'ssh_username'; // SSH username (replace with actual username) $sshPassword = $decryptedData; //'ssh_password'; // SSH password (replace with actual password) // Get LDAP username, password, and SSH IP from form submission $ldapUsername = isset($_POST['ldapUsername']) ? $_POST['ldapUsername'] : ''; $ldapPassword = isset($_POST['ldapPassword']) ? $_POST['ldapPassword'] : ''; $sshHost = isset($_POST['sshHost']) ? $_POST['sshHost'] : ''; if ($ldapPassword !== '') { // Attempt to connect to LDAP server $ldapConnection = @ldap_connect($ldapServer, $ldapPort); } // Check if connection was successful if ($ldapConnection) { // Attempt to bind to LDAP server with provided credentials $ldapBind = @ldap_bind($ldapConnection, $ldapUsername, $ldapPassword); // Check if bind was successful if ($ldapBind) { //echo "LDAP bind successful<br>"; echo '<h5 class="mt-4 d-flex justify-content-center align-items-center"> <i class="bi bi-check2-circle" style="color:lime;"></i> Credential verification successful</h5>'; // Attempt to connect to SSH server $connection = @ssh2_connect($sshHost, 22); // Check if SSH connection was successful if ($connection) { // Authenticate with SSH server if (@ssh2_auth_password($connection, $sshUsername, $sshPassword)) { //echo "SSH authentication successful<br>"; echo '<h5 class="mt-4 d-flex justify-content-center align-items-center"> <i class="bi bi-check2-circle" style="color:lime;"></i> SSH authentication successful</h5>'; // SSH command to execute //$command = 'ls -la'; $command = 'sudo uptime'; // Execute SSH command $stream = ssh2_exec($connection, $command); if ($stream) { // Read command output stream_set_blocking($stream, true); $output = stream_get_contents($stream); fclose($stream); // Output command output //echo "Command output:<br>$output"; echo "<h6 class='mt-4 d-flex justify-content-center align-items-center'/><br><br>Command output:</h6>"; echo "<h6 class='mt-4 d-flex justify-content-center align-items-center'/>$output</h6>"; } else { //echo "Failed to execute command"; echo '<h6 class="mt-4 d-flex justify-content-center align-items-center"> <i class="bi bi-exclamation-triangle" style="color:crimson;"></i> Failed to execute command</h6>'; } } else { //echo "SSH authentication failed"; echo '<h5 class="mt-4 d-flex justify-content-center align-items-center"> <i class="bi bi-exclamation-triangle" style="color:crimson;"></i> SSH authentication failed</h5>'; } // Close SSH connection ssh2_disconnect($connection); } else { //echo "Failed to connect to SSH server"; echo '<h5 class="mt-4 d-flex justify-content-center align-items-center"> <i class="bi bi-exclamation-triangle" style="color:crimson;"></i> Failed to connect to SSH server</h5>'; } } else { //echo "LDAP bind failed: " . ldap_error($ldapConnection); // echo "<h5 class='mt-4 d-flex justify-content-center align-items-center'><i class='bi bi-exclamation-triangle' style='color:crimson;'></i> Domain connection failed: . ldap_error($ldapConnection)</h5>"; echo '<h5 class="mt-4 d-flex justify-content-center align-items-center"> <i class="bi bi-exclamation-triangle" style="color:crimson;"></i> Username or Password incorrect</h5>'; } // Close LDAP connection ldap_close($ldapConnection); } else { //echo "Unable to connect to LDAP server: " . ldap_error($ldapConnection); echo '<h5 class="mt-4 d-flex justify-content-center align-items-center"> <i class="bi bi-exclamation-triangle" style="color:crimson;"></i> Username or Password incorrect</h5>'; } echo '<button onclick="window.location.href=\'index.html\'" class="btn btn-primary mt-4 d-flex justify-content-center align-items-center">Go Back to Site</button>'; ?> </div> </div> </div> <?php // remove all session variables session_unset(); // destroy the session session_destroy(); ?> </body> </html> |
Once users credentials is verified and authenticated against LDAP/ Active Directory, It will execute uptime command program mentioned inside PHP code web page on remote Linux server. If everything is good you will see 2 green checkboxes with command output.
If AD domain credential fails - You see message Username and Password is incorrect or invalid. If incase you have put incorrect or non-reachable IP or not able to connect to SSH, AD authentication will succeed but it will fail to connect Linux SSH server.
How to setup this project for testing?
I used Apache server to host this project on Windows System, I have downloaded XAMPP server from https://www.apachefriends.org/download.html and installed it. XAMPP is installed at location C:\xampp.
From location C:\xampp\php open file php.ini and enable LDAP extension library by remove ; colon comment before the line. This LDAP extension will allow you to connect to AD ldap server to test the domain credentials provided. Basically it allows you to use ldap_connect() command script in PHP.
;extension=ldap
to
extension=ldap
Next to connect Linux server via SSH from PHP, since I am using windows I will require to download the related version of php_ssh2.dll library extension to the similar matching of PHP version. My PHP version on XAMPP is 8.2.x.x. To verify your version of PHP run c:\xampp\php\php.exe -v command in PowerShell or cmd.
After checking PHP version and accordingly copy correct version of php_ssh2.dll file to C:\xampp\php\ext from by downloading https://github.com/jhanley-com/php-ssh2-windows/blob/master/PHP_8.2/vs16-x64-ts/php_ssh2.zip. Extract the file. Next modify php.ini file under c:\xampp\php add below extension command in the last line. This will allow you to use ssh2_connect() command to connect Linux via SSH protocol through PHP.
[ssh2]
extension=php_ssh2.dll
Download this entire HTML+PHP project PHP_SSH_LDAP.zip project here or it is also available on github.com and copy in the C:\xampp\htdocs. Next modify PHP code script file ad_ssh_auth.php. On the line number 32 add your LDAP server hostname/IP. In my case it is Active Directory Domain Controller IP. Against this LDAP server typed users credentials will be authenticated and validated whether user provided correct username and password.
Since user don't know the credentials of Linux SSH server. On line number 59 provide SSH username and on line number 41 ssh password is added in encrypted form. To encrypt SSH password use below command on PowerShell or command prompt on Microsoft Windows. Generate new GUID and replace in the key section line no 41.
Copy paste the generated new GUID to extras/key file inside PHP project.
[guid]::NewGuid() cd C:\xampp\php .\php.exe -r "$key = 'change this guid dce45e93-c278-4727-bad2-95df27cfbbf0'; $iv = openssl_random_pseudo_bytes(openssl_cipher_iv_length('aes-256-cbc')); echo base64_encode(openssl_encrypt('Computer@123', 'aes-256-cbc', $key, OPENSSL_RAW_DATA, $iv)) . ':::' . base64_encode($iv);"
On the line number 95 mention the command you want to execute on remote Linux server.
All the setup and configuration is completed. Start web server with going to C:\xampp folder. Launch xampp-control.exe program to open XAMPP control panel. On the Apache module click start button in the actions. Open the your hostname/Ip or localhost in the browser to check and test this web server.
Useful Articles
Executing PowerShell script from PHP HTML web server
Send system disk space utilization HTML report Email using PowerShell
Send Email using PowerShell with .net object System.Net.Mail.MailMessage
PowerShell XML OperationStopped: No coercion operator is defined between types 'System.Object&' and 'System.Object'
Powershell Create new file if not exist, if exist Rename file
PowerShell Create XML document with XmlWriter .net object
PowerShell save export data to XML file
Bulk change multiple file names with OneLiner PowerShell command
Resolved PowerShell Visual studio code stuck with 'Starting up PowerShell' in status bar
Building basic simple Web Server using PowerShell
Running Your First PowerShell Scripts With Jenkins and Git
Git clone or push Missing or invalid credentials fatal authentication failed
PowerShell How to find file and folders in Azure Storage Account Blobs and Containers