How to reboot headless server with pass phrase

Discussion in 'Server Operation' started by satimis, Jun 28, 2008.

  1. satimis

    satimis New Member

    Hi folks,


    I have a headless server which requires "pass phrase" to start Apache at boot. After remote rebooting I can ssh connect the server. But I can't start Apache because I have no way to keyin the password remotely.


    After connection, running;

    $ sudo /etc/init.d/apache2 restart
    Code:
     * Forcing reload of apache 2.0 web server...                                   [Sat Jun 28 10:33:50 2008] [warn] NameVirtualHost *:0 has no VirtualHosts
    (98)Address already in use: make_sock: could not bind to address [::]:443
    no listening sockets available, shutting down
    Unable to open logs
                                                                             [fail]
    
    Is there any glue. TIA


    B.R.
    satimis
     
  2. topdog

    topdog Active Member HowtoForge Supporter

    That seems to be a problem with sudo not with apache, sudo is not changing your privilage level to root to allow you to bind to port 443
     
  3. satimis

    satimis New Member

    Hi topdog,


    Thanks for your advice.


    If ssh connect the remote server as root can it starts Apache remotely?


    On Internet some folks suggest running SSLPassPhraseDialog directive. But I haven't got experience on it before.


    on /etc/apache2/httpd.conf

    adding follows;
    Code:
    <IfModule mod_ssl.c>
    #   Pass Phrase Dialog:
    #  #SSLPassPhraseDialog  builtin
    SSLPassPhraseDialog exec:/content/ssl/pp/pp.out
    </..>
    

    File pp.out
    Code:
    #!/bin/sh
    
    PASS1=somepass1
    PASS2=somepass2
    
    case $1 in
        www.pass1.com:443) echo $PASS1;;
        www.pass2.com:443) echo $PASS2;;
    esac
    
    exit 0
    

    But I haven't figured out what shall I replace "somepass1" and "somepass2"? Whether the request for "Pass Phrase" will popup on running ssh-connect the remote server?


    Where shall I create the path "/content/ssl/pp/pp.out" ?


    Any additional Apache package needed to install?



    B.R.
    satimis
     
  4. topdog

    topdog Active Member HowtoForge Supporter

    If you are running only one secure site then you only need one password.

    You can place the file in /etc/httpd/conf/ (if on centos | use the relevant directory for other distros) just make sure the file is only readable to the apache user otherwise there password will be compromised.
     
  5. satimis

    satimis New Member

    Hi topdog,


    If I understand your advice correctly.

    One secure site = only one site/pc from where to boot the server remotely.

    password=the password with it to boot the remote server on the secure site. I can select any combination of character and number to replace "somepass".


    So the pp.out will look like
    Code:
    #!/bin/sh
    
    PASS=acd123
    
    case $ in
        123.123.456.456:443) echo $PASS;;
    esac
    
    exit 0
    
    123.123.456.456 is the public IP of the secure site. OR can I replace is with www.domain.com? ( domain.com is domain of the secure site to boot the server remotely)


    On Ubuntu if I create a directory /etc/apache2/pp I can put the file on /etc/apache2/pp/pp.out

    Then on the file
    Code:
    SSLPassPhraseDialog exec:/etc/apache2/ssl/pp/pp.out
    
    What will be the permission and owership of the directory /pp/ and the file pp.out?


    If I'm wrong, please correct me. TIA


    Any additional package I need to install?


    B.R.
    satimis
     
    Last edited: Jun 28, 2008
  6. topdog

    topdog Active Member HowtoForge Supporter

    By one site i mean site hosted on the machine, using the domain name on ip address depends on how you have configured your ssl server apache has to be able to search the pp directory meaning the x flag has to be set, the script can be rx for the owner (apache)
     
  7. satimis

    satimis New Member

    Hi topdog,


    Performed following test without success.


    $ sudo mkdir /etc/apache2/ssl/pp
    $ sudo nano /etc/apache2/ssl/pp/pp.out

    Copying following content on it;
    Code:
    #!/bin/sh
    
    PASS=abcde
    
    case $ in
         192.168.0.10:443) echo $PASS;;
    
    esac
    
    exit 0
    
    Remark: 192.168.0.10 is the IP of the local PC


    $ sudo chmod +x -c /etc/apache2/ssl/pp/pp.out
    Code:
    mode of `/etc/apache2/ssl/pp/pp.out' changed to 0755 (rwxr-xr-x)
    

    $ sudo nano /etc/apache2/httpd.conf

    adding follows at the bottom of the file;
    Code:
    <IfModule mod_ssl.c>
    #   Pass Phrase Dialog:
    #  #SSLPassPhraseDialog  builtin
    SSLPassPhraseDialog exec:/etc/apache2/ssl/pp/pp.out
    </IfModule>
    
    $ cat /etc/apache2/httpd.conf
    Code:
    # This is here for backwards compatability reasons and to support
    #  installing 3rd party modules directly via apxs2, rather than
    #  through the /etc/apache2/mods-{available,enabled} mechanism.
    #
    #LoadModule mod_placeholder /usr/lib/apache2/modules/mod_placeholder.so
    
    ServerName lampserver
    
    <IfModule mod_ssl.c>
    #   Pass Phrase Dialog:
    #  #SSLPassPhraseDialog  builtin
    SSLPassPhraseDialog exec:/etc/apache2/ssl/pp/pp.out
    </IfModule>
    

    $ sudo reboot and ssh connect the server remotely. Nothing happens. No dialog starts


    I think the steps are wrong.

    Before the test Apache/2.0.55 mod_ssl/2.0.55 (Pass Phras Dialog) starts after booting on the server locally waiting for input of password. After editing /etc/apache2/httpd.conf on reboot the dialog doesn't start at all.


    B.R.
    satimis
     
  8. topdog

    topdog Active Member HowtoForge Supporter

    Your script is incorrect you need $1 as the variable, but in any case since you only have one host there is no need for a switch statement this script should do it.
    Code:
    #!/bin/bash
    PASS=abcde
    echo $PASS
    exit 0
     
  9. satimis

    satimis New Member

    Your advice works for me. Thanks.


    To make it more difficult. PassPhrase won't start automatically.


    It only works under following 2 conditions;

    1) The server detects the pre-set IP of the remote site on ssh connection.

    2) The PassPhrase must be keyined by the remote site.


    Is it possible? If YES how to achieve it? TIA


    B.R.
    satimis
     
  10. topdog

    topdog Active Member HowtoForge Supporter

    I dont understand what you mean the point of using that script is to allow apache start with a private key that is password protected, so what are you talking about ?
     
  11. satimis

    satimis New Member

    Oh sorry NOT the script. I was talking new steps/new setup. So non authorized person can't restart the web server without the PassPhrase which won't be stored on the server.

    Regarding IP I was talking 2 sites. Thanks


    satimis
     
  12. topdog

    topdog Active Member HowtoForge Supporter

    In that case the default builtin mechanism should be sufficient as they will need to know the pass phrase
     
  13. satimis

    satimis New Member

    Noted with thanks.


    Having tried 2 sites version on Intranet without success.

    Site-1 to reboot the server, IP=192.168.0.10
    Site-2 to reboot the server, IP=192.168.0.55

    No port forwarded to the server


    variation on pp.out tested
    Code:
    #!/bin/sh
    
    PASS1=abcde
    PASS2=vwxyz
    
    case $1 in
       192.168.0.10 echo $PASS1;;
       192.168,0.55 echo $PASS2;;
    esac
    
    exit 0
    

    Code:
    #!/bin/sh
    
    PASS1=abcde
    PASS2=vwxyz
    
    case $1 in
       192.168.0.10) echo $PASS1;;
       192.168,0.55) echo $PASS2;;
    esac
    
    exit 0
    

    Code:
    #!/bin/sh
    
    PASS1=abcde
    PASS2=vwxyz
    
    case $1 in
       192.168.0.10 ) echo $PASS1;;
       192.168,0.55 ) echo $PASS2;;
    esac
    
    exit 0
    

    Code:
    #!/bin/sh
    
    PASS1=abcde
    PASS2=vwxyz
    
    case $1 in
       192.168.0.10 echo $PASS1;
       192.168,0.55 echo $PASS2;
    esac
    
    exit 0
    
    etc.

    Run
    $ sudo chmod +x /var/www/apache2/ssl/pp/pp.out

    each time after change made.

    None of them can work.


    satimis
     

Share This Page