phpshell-devel

I still love this web app.. but no developer activity!?

[John B. <joh...@gm...>]

The greatest benefit for me is that SSH has been ruinously slow.  Each
line has to be sent out as a whole to be efficient.

I can see 2 (or 2 1/2) direct improvements that leverage (X)HTML:

First, making directory (or folder) names hypertext links that bring
you right to that folder would speed up admin considerably.

Second, making some kind of edit app so that full-line scripts can be
written and uploaded and executed (or evoked) would bring the app into
the "big leagues."

Having achieved both of those, it would be elementary to create a link
next to each file that would allow editing of the file, which would be
killer -- and would essentially eliminate all the so-called WebOS ajax
implementations (which have been disappointing, in my experience).

Once that is achieved, then I wonder if there is a way to create an
SSL tunnel for all the activity.

On the topic of security, I use the Apache authentication to get to my
"adm/bin" directory (that has all the other sensitive tools) on top of
the existing authen.

Cheers, John

Re: I still love this web app.. but no developer activity!?

[Jan K. <jan...@ja...>]

Hi John,

I haven't seen any activity on this list in a long time, and neither in the
repository. I've made some changes to phpshell myself, but they're not in
the sf repository since I don't have commit access. You can find them at
bitbucket.org/JanKanis/phpshell. I happened to include one thing you
mention: an integrated editor. Also, I think https should work if the
script is invoked through an https address (and the host supports it). I've
also changed the way directories are handled so open_basedir settings are
ignored, so this may bypass your apache auth security setup.

I'm not actively developing phpshell any more either, I worked on it when I
needed it for a project, but I've since decided that php sucks and I don't
want to work in php anymore. Feel free to check it out, if you or someone
makes improvements I'm happy to incorporate them.

Jan

On Fri, Jun 1, 2012 at 5:55 PM, John Bessa <joh...@gm...> wrote:

> The greatest benefit for me is that SSH has been ruinously slow.  Each
> line has to be sent out as a whole to be efficient.
>
> I can see 2 (or 2 1/2) direct improvements that leverage (X)HTML:
>
> First, making directory (or folder) names hypertext links that bring
> you right to that folder would speed up admin considerably.
>
> Second, making some kind of edit app so that full-line scripts can be
> written and uploaded and executed (or evoked) would bring the app into
> the "big leagues."
>
> Having achieved both of those, it would be elementary to create a link
> next to each file that would allow editing of the file, which would be
> killer -- and would essentially eliminate all the so-called WebOS ajax
> implementations (which have been disappointing, in my experience).
>
> Once that is achieved, then I wonder if there is a way to create an
> SSL tunnel for all the activity.
>
> On the topic of security, I use the Apache authentication to get to my
> "adm/bin" directory (that has all the other sensitive tools) on top of
> the existing authen.
>
> Cheers, John
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> phpshell-devel mailing list
> php...@li...
> https://lists.sourceforge.net/lists/listinfo/phpshell-devel
>

Re: I still love this web app.. but no developer activity!?

[Wolfgang D. <da...@oe...>]

Am 01.06.2012 17:55, schrieb John Bessa:
> The greatest benefit for me is that SSH has been ruinously slow.
> Each line has to be sent out as a whole to be efficient.
> 
> I can see 2 (or 2 1/2) direct improvements that leverage (X)HTML:
> 
> First, making directory (or folder) names hypertext links that bring 
> you right to that folder would speed up admin considerably.

Hi,
sorry for the late answer. I am the current maintainer of phpshell.
There are already links in the "Current Working Directory:"-Line - just
click on these links to navigate to that directory.

> Second, making some kind of edit app so that full-line scripts can
> be written and uploaded and executed (or evoked) would bring the app
> into the "big leagues."

You can upload files (not enabled by default, you must set
file-upload = true
in config.php [and have file-upload enabled in PHP and write permission
in the current directory), then you can execute the uploaded script:
sh myscript.sh # (or bash myskript.sh, perl myskript.pl, ...)

> Having achieved both of those, it would be elementary to create a
> link next to each file that would allow editing of the file,

there is an 'internal' command "editor filename", where you can edit a
file (if you have write permissions)

> Once that is achieved, then I wonder if there is a way to create an 
> SSL tunnel for all the activity.

That should not be an phpshell isssue - set up a (SSL-enabled)
apache-webserver, where you use phpshell.

Best regards,
Wolfgang

Re: I still love this web app.. but no developer activity!?

[Jan K. <jan...@ja...>]

Wolfgang,

I only now saw that there has been activity in the phpshell repository
during the last two years. I have some changes that I made in october 2010.
I sent a mail off to this list to have them incorporated in the official
repo, but nobody ever answered so I assumed the project was dead.

If I update the patches to apply to trunk, is there a possibility they can
get incorporated? The most important change that I made that has not been
made in the SF repo is that my phpshell works even if there are
open_basedir restrictions in effect.

My changes are in mercurial on http://bitbucket.org/JanKanis/phpshell/, but
I can send them as patches.

Jan

On Tue, Jun 5, 2012 at 10:15 PM, Wolfgang Dautermann <
da...@oe...> wrote:

> Am 01.06.2012 17:55, schrieb John Bessa:
> > The greatest benefit for me is that SSH has been ruinously slow.
> > Each line has to be sent out as a whole to be efficient.
> >
> > I can see 2 (or 2 1/2) direct improvements that leverage (X)HTML:
> >
> > First, making directory (or folder) names hypertext links that bring
> > you right to that folder would speed up admin considerably.
>
> Hi,
> sorry for the late answer. I am the current maintainer of phpshell.
> There are already links in the "Current Working Directory:"-Line - just
> click on these links to navigate to that directory.
>
> > Second, making some kind of edit app so that full-line scripts can
> > be written and uploaded and executed (or evoked) would bring the app
> > into the "big leagues."
>
> You can upload files (not enabled by default, you must set
> file-upload = true
> in config.php [and have file-upload enabled in PHP and write permission
> in the current directory), then you can execute the uploaded script:
> sh myscript.sh # (or bash myskript.sh, perl myskript.pl, ...)
>
> > Having achieved both of those, it would be elementary to create a
> > link next to each file that would allow editing of the file,
>
> there is an 'internal' command "editor filename", where you can edit a
> file (if you have write permissions)
>
> > Once that is achieved, then I wonder if there is a way to create an
> > SSL tunnel for all the activity.
>
> That should not be an phpshell isssue - set up a (SSL-enabled)
> apache-webserver, where you use phpshell.
>
> Best regards,
> Wolfgang
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> phpshell-devel mailing list
> php...@li...
> https://lists.sourceforge.net/lists/listinfo/phpshell-devel
>

Re: I still love this web app.. but no developer activity!?

[Wolfgang D. <da...@oe...>]

Am 06.06.2012 00:11, schrieb Jan Kanis:
> Wolfgang,
> 
> I only now saw that there has been activity in the phpshell
> repository during the last two years.

Yes.
I wrote a article about Phpshell for some Magazines
(http://www.admin-magazine.com/Archive/2012/07 and
http://www.linux-community.de/Internal/Artikel/Print-Artikel/LinuxUser/2011/04/Shell-Zugriff-per-Webbrowser
(in German)) - but the last released version of phpshell did not work
with recent PHP versions, so Martin Geisler (the original author) handed
over the maintainance to me.

> I have some changes that I made in october 2010.
> 
> If I update the patches to apply to trunk, is there a possibility
> they can get incorporated?

Of course. You can also get SVN access and check in improvements by
yourself, if you want to contribute more often.
It seems, that now there are no other developers who submit code
regularly - and it would be nice, if I am not the only guy who develops
phpshell.

Best regards,
Wolfgang

Re: I still love this web app.. but no developer activity!?

[Jan K. <jan...@ja...>]

Hi Wolfgang,

SVN access would be easiest for me. I currently just intend to add the
changes I already made to the official repo and I'll probably add a better
password hashing since just SHA is not considered secure anymore for
password storage. My sourceforge username is JanKanis.

Thanks.


On Sun, Jun 10, 2012 at 10:37 PM, Wolfgang Dautermann <
da...@oe...> wrote:

> Am 06.06.2012 00:11, schrieb Jan Kanis:
> > Wolfgang,
> >
> > I only now saw that there has been activity in the phpshell
> > repository during the last two years.
>
> Yes.
> I wrote a article about Phpshell for some Magazines
> (http://www.admin-magazine.com/Archive/2012/07 and
>
> http://www.linux-community.de/Internal/Artikel/Print-Artikel/LinuxUser/2011/04/Shell-Zugriff-per-Webbrowser
> (in German)) - but the last released version of phpshell did not work
> with recent PHP versions, so Martin Geisler (the original author) handed
> over the maintainance to me.
>
> > I have some changes that I made in october 2010.
> >
> > If I update the patches to apply to trunk, is there a possibility
> > they can get incorporated?
>
> Of course. You can also get SVN access and check in improvements by
> yourself, if you want to contribute more often.
> It seems, that now there are no other developers who submit code
> regularly - and it would be nice, if I am not the only guy who develops
> phpshell.
>
> Best regards,
> Wolfgang
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> phpshell-devel mailing list
> php...@li...
> https://lists.sourceforge.net/lists/listinfo/phpshell-devel
>

Re: I still love this web app.. but no developer activity!?

[John B. <joh...@gm...>]

Hi all, It is nice to have all this attention (all of a sudden)

In fairness to Perl and Shell(s), they are very good in their contexts
which is low level control of the OS.  Perl was first to be a Web
server, but that was 17 yrs ago, and 12 yrs ago it was basically
"killed" by the tech crash of 2000, and also the terror event on Sept
11, 2001 at the World Trade Center, as influential NYC CPU community
was meeting in those very buildings and thriving because of financial
technology.

The history of Perl is a long topic far beyond the scope of this
group, but suffice to say it halted on a certain date with all its
projects becoming sad shipwrecks on the beaches of the information
sea.  There were unquestionably  maladaptive issues along (such as
continual violent flaming sometimes manifested as physical threats)
that may have added to its demise by allowing, well, mental illness to
control the basic design.  I actually heard Larry Walls say a certain
concept should be inserted by saying it "is sick."  Telling indeed!

Having said that, I am planning to deconstruct the Oddmuse wiki, which
is written in perl, to created a tool for collaborative creation to
understand its structure.

SInce mobwrite is the collaboration vehicle of choice (used and tested
by Google Docs which has suddenly become useless because of Ajax
problems) then the suggestion for using Python seems appropriate
because the server is written in Python.  As is, the document state
control in Mobwrite is separate from the saving features when it is
implemented with, say, a wiki.

So perhaps the underlying toolset of this PHP shell should be
converted to Python so that it can be implemented into bigger systems.
 Or perhaps PHP be organized to give it the benefits of Python and
mobwrite binaries inserted into a PHP.

Thus one gets the two necessary features of web expression:  textual
creation and system control.  Within this needs to be a development
system (so that the user can actually control his technological
destiny) that actually wraps the two.

As is you barely get either, and nothing combines them.  Pretty sad
after about a 1/4 century of Internet, wouldn't you say?

Regards, John

Re: I still love this web app.. but no developer activity!?

[Jan K. <jan...@ja...>]

I don't get exactly what you intend to communicate in this mail, but
converting phpshell to a different language would not be a good idea. I use
phpshell for crappy webhosts that don't provide normal ssh access (or do it
very poorly). These webhosts often have just php available and no other
scripting languages. As far as I know just about all python/ruby webhosts
also provide ssh, so just use that then. If you want to access a shell
through a webbrowser where you can run your own programs, have a look at
Shell in a Box.


On Tue, Jun 12, 2012 at 5:31 PM, John Bessa <joh...@gm...> wrote:

> Hi all, It is nice to have all this attention (all of a sudden)
>
> In fairness to Perl and Shell(s), they are very good in their contexts
> which is low level control of the OS.  Perl was first to be a Web
> server, but that was 17 yrs ago, and 12 yrs ago it was basically
> "killed" by the tech crash of 2000, and also the terror event on Sept
> 11, 2001 at the World Trade Center, as influential NYC CPU community
> was meeting in those very buildings and thriving because of financial
> technology.
>
> The history of Perl is a long topic far beyond the scope of this
> group, but suffice to say it halted on a certain date with all its
> projects becoming sad shipwrecks on the beaches of the information
> sea.  There were unquestionably  maladaptive issues along (such as
> continual violent flaming sometimes manifested as physical threats)
> that may have added to its demise by allowing, well, mental illness to
> control the basic design.  I actually heard Larry Walls say a certain
> concept should be inserted by saying it "is sick."  Telling indeed!
>
> Having said that, I am planning to deconstruct the Oddmuse wiki, which
> is written in perl, to created a tool for collaborative creation to
> understand its structure.
>
> SInce mobwrite is the collaboration vehicle of choice (used and tested
> by Google Docs which has suddenly become useless because of Ajax
> problems) then the suggestion for using Python seems appropriate
> because the server is written in Python.  As is, the document state
> control in Mobwrite is separate from the saving features when it is
> implemented with, say, a wiki.
>
> So perhaps the underlying toolset of this PHP shell should be
> converted to Python so that it can be implemented into bigger systems.
>  Or perhaps PHP be organized to give it the benefits of Python and
> mobwrite binaries inserted into a PHP.
>
> Thus one gets the two necessary features of web expression:  textual
> creation and system control.  Within this needs to be a development
> system (so that the user can actually control his technological
> destiny) that actually wraps the two.
>
> As is you barely get either, and nothing combines them.  Pretty sad
> after about a 1/4 century of Internet, wouldn't you say?
>
> Regards, John
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> phpshell-devel mailing list
> php...@li...
> https://lists.sourceforge.net/lists/listinfo/phpshell-devel
>

Re: I still love this web app.. but no developer activity!?

[Jan K. <jan...@ja...>]

Thanks!
I'll have a look at what the admin side of sourceforge brings.

Regarding password storage, the problem is that /password/ hashing should
be (relatively) slow, to prevent brute force searches on ever faster
hardware. I want to use phpass <http://www.openwall.com/phpass/> for that,
which is also used by Drupal, Wordpress, phpBB and other projects. It
supports even php version 3, using stronger hashes when available. See
this<http://www.openwall.com/articles/PHP-Users-Passwords>for more
explanation.

I also intend to keep everything php4 compatible, when I first started
using phpshell I also needed that.


On Wed, Jun 13, 2012 at 9:20 PM, Wolfgang Dautermann <
da...@oe...> wrote:

>
>
> Am 13.06.2012 09:46, schrieb Jan Kanis:
> > Hi Wolfgang,
> >
> > SVN access would be easiest for me.
>
> Hi Jan!
> You are now a member of the project with SVN access.
>
> Welcome to the team.
>
> > I currently just intend to add the changes I already made to the
> > official repo and I'll probably add a better password hashing since
> > just SHA is not considered secure anymore for password storage.
>
> Hm. Concerning password hashing - I believe sha1() *with salt* should be
> okay. There is no (native) sha2() function in PHP - yes you have the
> hash()-function, but there are recent PHP versions (>= 5.1.2) required.
> And I think a self-coded sha2()-function (in PHP) might be more insecure
> than (salted) sha1().
>
> Even for the move from md5() to sha1() I checked, if sha1() is
> available, because it is only present in PHP >= 4.3.0:
>
>       if ( function_exists('sha1') ) {
>            $fkt = 'sha1' ;
>        } else {
>            $fkt = 'md5' ;
>        } ;
>
> Would be fine, if phpshell works even with older PHP versions (because
> that is my use-case. I need it sometimes on a server with PHP 4.3.1 (no,
> I am not the admin there...), to remove some files created by apache, ...)
>
> Best regards from Austria,
> Wolfgang
>

Re: I still love this web app.. but no developer activity!?

[Jan K. <jan...@ja...>]

The problem that phpass solves is not specifically a weakness in md5, but
that all cryptographic hashes are insecure to store passwords by
themselves. Computers are getting faster and especially with GPUs and FPGAs
brute forcing password hashes is getting faster and faster. The solution is
to use a slower hash function, or using a standard hash function but
applying it 10000 times instead of once. The slowdown from (say) 10
microseconds to 10 milliseconds is insignificant for logging in, but slows
down brute force cracking of a stolen hash by 1000 times. But see the
article at http://www.openwall.com/articles/PHP-Users-Passwords for a more
complete explanation.

Phpass checks which cryptographic functions are available, first trying
bcrypt (a.k.a. CRYPT_BLOWFISH in php), then CRYPT_EXT_DES, and falls back
to applying md5 a few thousand times. Both crypt_blowfish and crypt_ext_des
are specialized password hash functions that use a configurable number of
rounds of an underlying cryptographic hash.


On Fri, Jun 15, 2012 at 6:51 PM, Wolfgang Dautermann <
da...@oe...> wrote:

>
>
> Am 13.06.2012 22:37, schrieb Jan Kanis:
> > Thanks! I'll have a look at what the admin side of sourceforge
> > brings.
> >
> > Regarding password storage, the problem is that /password/ hashing
> > should be (relatively) slow, to prevent brute force searches on ever
> > faster hardware. I want to use phpass
> > <http://www.openwall.com/phpass/> for that,
>
> I did a quick look on the code - does it use a more secure hash than
> md5()? I think, there is my solution (if function_exists(sha1), use it)
> better.
>
> (I am going to a bike tour tomorrow and will be offline for some days...)
>
> > I also intend to keep everything php4 compatible, when I first
> > started using phpshell I also needed that.
>
> Ok.
> Best regards, Wolfgang
>
>