如果您对这个问题有一个简单的答案,请自己阅读以下内容,我对我的要求的解决方案感兴趣。
目的是自动将上传从服务器 A 安全地重定向(最终特定)到另一个服务器 B。在客户端有一个上传表单 ( <form class="dropzone" enctype="multipart/form-data" action="upload.php" method="POST">...),它调用upload.phpserverA。上传到 serverA 工作正常。在 serverA 上是一个脚本,它将上传的文件传输到 serverB,由 upload.php 触发(没有我作为用户登录到 serverA!)。
在这里我说明我所做的,如果你认为这可能是一条实用的路径(我没有找到终点)......
上传.php:
<?php
$uploaddir = './uploads/';
$uploadfile = $uploaddir . basename($_FILES['file']['name']);
echo '<pre>';
if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) {
echo "File is valid, and was successfully uploaded to A.\n";
echo "Now: call of scp-up.sh $uploadfile :\n\n";
echo (shell_exec("./scp-up.sh $uploadfile"));
} else {
echo "Upload to server A failed\n";
}
echo "Debug info of upload.php:\n";
print_r($_FILES);
echo '</pre>';
?>
这工作正常,文件正确存储在 serverA 的上传目录中。现在调用
脚本,以传输到 serverB:scp-up.sh
scp-up.sh:
#!/bin/bash
echo "scp $1"
scp -v -B -i ./.ssh/id_rsa -o IdentitiesOnly=yes -o KexAlgorithms=ecdh-sha2-nistp256 $1 ssh-userb@serverb.kasserver.com:/www/htdocs/web/uploads/ 2>&1
当我登录并使用带有文件名的脚本时,它可以工作。
但不是当它独自一人时。
首先,我尝试不使用 -o 选项,这会导致“主机密钥验证失败”处于早期状态,并且id_rsa-cert.pub丢失了一个。所以我生成了一对新的密钥ssh-keygen -f ca_key,并通过ssh-keygen -s ca_key -I server-b -h -n serverb.kasserver.com ./id_rsa.pub.
现在我有这些文件
-rwx------ 1 ssh-usera usera 1679 Aug 16 18:23 ca_key
-rwx------ 1 ssh-usera usera 402 Aug 16 18:23 ca_key.pub
-rwx------ 1 ssh-usera usera 1679 Aug 16 17:45 id_rsa
-rwx------ 1 ssh-usera usera 1375 Aug 16 18:35 id_rsa-cert.pub
-rwx------ 1 ssh-usera usera 402 Aug 16 18:03 id_rsa.pub
-rwx------ 1 ssh-usera usera 444 Aug 16 17:45 known_hosts
如您所见:所有 chmodded 为 700。
结果:证书不再丢失,“主机密钥验证失败”现在处于后期状态。
这是输出:
File is valid, and was successfully uploaded to A.
Now: call of scp-up.sh ./uploads/ACT_0180.jpg :
scp ./uploads/ACT_0180.jpg
Executing: program /usr/bin/ssh host serverb.kasserver.com, user ssh-userb, command scp -v -t /www/htdocs/userb/web/uploads/
OpenSSH_7.2p2 Ubuntu-4ubuntu2.10, OpenSSL 1.0.2g 1 Mar 2016
debug1: Connecting to serverb.kasserver.com [85.13.888.999] port 22.
debug1: Connection established.
debug1: identity file ./.ssh/id_rsa type 1
debug1: identity file ./.ssh/id_rsa-cert type 5
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.10
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.10
debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.10 pat OpenSSH* compat 0x04000000
debug1: Authenticating to serverb.kasserver.com:22 as 'ssh-userb'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: ecdh-sha2-nistp256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: compression: none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:DXdT/AyN2+QYF2P7/ZFP9P4JsHlGrCCTBOx1zmDaSy8
Host key verification failed.
lost connection
Debug info of upload.php:
Array
(
[file] => Array
(
[name] => ACT_0180.jpg
[type] => image/jpeg
[tmp_name] => /tmp/phpanRmnx
[error] => 0
[size] => 621562
)
)
为了比较:这是成功完成脚本的输出,当我登录时:
https ://pastebin.com/raw/p5JAT9FC
(我尝试-o KexAlgorithms=ecdsa-sha2-nistp256在 scp-command 中使用,但这一次失败了。)
说得很清楚,我不太了解证书概念,所以其中的一部分可能会丢失。在这方面,如果这条路径(带有密钥和证书的 scp)是一个好的路径,我只寻求帮助。如果您知道实现目标的更简单的方法,我很有兴趣了解它!
任何想法?
由于外行人有很多可能性,我会非常感谢依赖知识和/或经验的答案,而不是假设......
非常感谢您!