SSH authentication Issue

I do not get those auth.log entries when I ssh localhost from the wpsshupdate user. It just works & uses the ssh-keys correctly.

• This reply was modified 5 years, 6 months ago by joey2250.

Also, I only allow the following:

KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256
Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]

But since its ssh’ing to itself, you’d think it would work since the user itself can without issue.

• This reply was modified 5 years, 6 months ago by joey2250.

The plugin has no facility to read key files; it can only use a username/password. It’s using the phpseclib library (https://github.com/phpseclib/phpseclib/); it’s not running /usr/bin/ssh, so isn’t picking up installed OpenSSH key files.

I thought it did, the error message is being pulled from the section of code around Line 91 from https://github.com/wp-plugins/ssh-sftp-updater-support/blob/master/class-wp-filesystem-ssh2.php.

$rsa->loadKey($this->options['private_key']);

Is what lead me to believe this plugin supported SSH keys.

Sorry, you’re right, it does (I don’t use this plugin much and am not the original author – I just agreed to keep it up to date for him). Perhaps you’re putting the key in the wrong format? RSA is a key *type*, but that’s orthogonal to what key-file format you’re entering the key in.

David

No problem. I use the standard rsa_4096 key generated by ssh-keygen. It is the same one I used to test internally with ssh, but as a different file with more open permissions so the webserver has permissions to access it.

I used the wp-config.php to define it, I even copied the private key and pasted it in the wordpress text area to test and it didn’t work.

define(‘FS_METHOD’, ‘ssh2’);
define(‘FTP_BASE’, ‘/var/www/wp-directory’);
define(‘FTP_PUBKEY’,’/home/wpsshupdate/.ssh/wp_rsa.pub’);
define(‘FTP_PRIKEY’,’/home/wpsshupdate/.ssh/wp_rsa’);
define(‘FTP_USER’,’wpsshupdate’);
define(‘FTP_PASS’,’******************hidden*******’);
define(‘FTP_HOST’,’localhost’);

I bet whatever it’s using for ssh then isn’t compatible with the more secure algorithms I have the SSH server limited to. That or it just doesn’t want to read a 4096-bit key.

Original author here. 4096-bit RSA keys aren’t an issue. If I had to guess I’d guess that the key you’re using starts off thusly:

-----BEGIN OPENSSH PRIVATE KEY-----

If so then keys of that format were not supported until v0.8.2 of this plugin (the most recent version). Are you using that version?

Also, encrypted keys in that format are not supported by the underlying library for technical reasons that https://github.com/phpseclib/phpseclib/blob/7012e724881ac479866d05e78dbe6fd25fe5a90b/phpseclib/Crypt/Common/Formats/Keys/OpenSSH.php#L94 elaborates upon.

You should also check if the user PHP is running as has read permissions on the indicated files.

I am using version 0.8.2.

The private key starts with:
—–BEGIN RSA PRIVATE KEY—–

The php user and the webserver are both using the custom user deploy, which has group access to read the /home/wpsshupdate/.ssh/wp_rsa file. This is a duplicate of the id_rsa file, but with more open permissions. The reason for that is the ssh server will not accept id_rsa for testing with group read permissions for the deploy user on it. I suppose I might get around this by having the deploy user be the ssh user, but I purposely set it up so that the deploy user cannot connect via ssh.

• This reply was modified 5 years, 6 months ago by joey2250.

And as far as I know, the keys are not encrypted & for sure, they do not have a passcode on them.

Also, this is on Ubuntu 18.04, phpfpm-73, nginx 1.17.2, OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017, wordpress-4.9.10

• This reply was modified 5 years, 6 months ago by joey2250.
• This reply was modified 5 years, 6 months ago by joey2250.
• This reply was modified 5 years, 6 months ago by joey2250.

And as far as I know, the keys are not encrypted & for sure, they do not have a passcode on them.

Encryption isn’t an issue given that the keys start off with -----BEGIN RSA PRIVATE KEY-----. It’s only an issue for keys starting off with -----BEGIN OPENSSH PRIVATE KEY-----.

Anyway, I’d be willing to bet $10 that the underlying library is not due to the key being in an unsupported format. Maybe the issue is, as David Anderson hinted at, your permissions. You insist those are fine, but that would certainly explain what you’re seeing, none-the-less.

I would suggest you provide me with the key and I can verify that the key is able to be loaded but that’s also basically giving me the credentials to your server as well. Can you create a key that you believe reproduces the issue that you’d be willing to share?

If it is a legit issue with the underlying library I will pay you, via PayPal, $10 for finding that issue.

I mean, I suppose it’s possible that the key is malformed. You can’t just base64 encode a random string and expect it to be loaded as an RSA key. I would not pay $10.00 for this. But I can’t make that determination without seeing a key that reproduces the issue.

• This reply was modified 5 years, 6 months ago by TerraFrost.

I have no problem providing the keys. id rather not do it publicly in these comments, but I can email them to you.

I’d be willing to grant you access to my server if you cannot find out from that what the issue is.

Works for me! My email address is [email protected]. I’ll try to take a look this evening and will provide you with status updates!