php - How can I secure my SSH commands to a remote server in Laravel?

Question

I am using laravelcollective/remote which is documented in Laravel 4.2 but this documentation does not display any information about the 6.x version of this.

I am trying to access my external servers to run Docker commands:

SSH::into('production')->run(["docker inspect --format='{{.Name}}' {$id}"], function($container) {
    // ...
});

My configuration looks like this and is pretty basic, although it works:

'connections' => [
    'production' => [
        'host'      => 'xx.xx.xxx.x',
        'username'  => 'xxx',
        'password'  => 'xxx',
        'key'       => '',
        'keytext'   => '',
        'keyphrase' => '',
        'agent'     => '',
        'timeout'   => 10,
    ],
],

When I then use:

SSH::into('production')->run(['ls'], function($x) { echo $x; });

It works fine, but how secure is this? I can see I am missing 4 default fields that I assume make this more secure. How can I generate a key, keytext and keyphrase and what are they?

question from:https://stackoverflow.com/questions/65892326/how-can-i-secure-my-ssh-commands-to-a-remote-server-in-laravel

Answer 1

The SSH component was removed from Laravel core in 2015 and Laravel Collective is maintaining this component from then on - article on Laravel News. That‘s why you do not find anything about this in the official Laravel docs anymore.

The ?key“, ?keyphrase“ and ?keytext“ field should be used when you want to use an ssh key instead of logging in with username and passwort.

The ?key“ field holds the full path to your private ssh key file. In the ?keyphrase“ field the passphrase (if existing) of your ssh key should be entered.

The documentation about the config options is not very good - I just searched across Github issues to get some information.

The laravelcollective/remote package uses the phpseclib/phpseclib lib for creating SSH connections. This is a PHP Secure Communications Library implementing SSH-2, SFTP, X.509, an arbitrary-precision integer arithmetic library, ... and many more. So this question about secure connections should be better asked there. ;-) I'd say, yes it is a secure, encrypted connection.