SSH Key Manger Module?
A post about using Media Mover to mirror files across multiple servers got me thinking about how to securely manage remote server access in Drupal. Keeping server account data in Drupal’s database is a bad idea- a compromise to your site means a compromise to all the servers that you have in the system. While you could keep the accounts that you use to access the remote systems limited, it is still bad practice.
Generally this problem is solved with SSH keys- a system that can authenticate logins that have a valid key. The problem is that this really elevates the barrier to entry for people who do not want to deal with the command line. It should be the case that you can create a login for a remote server (for backups for example) inside of Drupal, in a secure fashion, which never requires firing up your trusty terminal. For those of us who deal with the command line on a regular basis, this is not so much of an issue, but for people who do not, it basically encourages bad security practices. From my perspective, the barrier to security is primarily ease of use- so long as FTP seems “easier” than SCP, it will be used.
So what might a solution look like for Drupal? I imagine a SSH keys manager module. This module handles key creation and management, and provides an API that allows other modules (like a secure ftp backup module for example) to login to a server and issue commands. I can imagine some of the following functionality:
The implementation for backing up a file might look something like:
<?php
echo shell_exec("scp ". $current_file['path'] ." ". ssh_keys_server($server_id) .":/backups/". $current_file['name']);
?>
Here ssh_keys_server() would handle making sure the path to the key file was right as well as getting the right server information from the database. This would be an example of where the key file was not password protected. If you have php-ssh installed on your machine, this could probably be vastly simplified, but this is just sort of throwing the idea out there. Any thoughts?








