Support » Plugin: SSH SFTP Updater Support » SSH authentication Issue

  • Resolved joey2250

    (@joey2250)


    I have a wpsshupdate user set up to allow SSH updating using this plugin.

    I have a copy of the RSA-4096 SSH keys accessible by the webserver group.

    I am able to ssh to localhost from the wpsshupdate user and successfully log in.

    When I attempt to use the plugin to update I get:

    Private key incorrect for wpsshupdate
    Make sure that the key you are using is an RSA key and not a DSA key

    When I look at my auth.log I see:

    Aug 13 16:13:27 web02 sshd[4529]: rexec line 18: Deprecated option UsePrivilegeSeparation
    Aug 13 16:13:27 web02 sshd[4529]: rexec line 25: Deprecated option KeyRegenerationInterval
    Aug 13 16:13:27 web02 sshd[4529]: rexec line 26: Deprecated option ServerKeyBits
    Aug 13 16:13:27 web02 sshd[4529]: rexec line 37: Deprecated option RSAAuthentication
    Aug 13 16:13:27 web02 sshd[4529]: rexec line 44: Deprecated option RhostsRSAAuthentication
    Aug 13 16:13:41 web02 sshd[4529]: reprocess config line 37: Deprecated option RSAAuthentication
    Aug 13 16:13:41 web02 sshd[4529]: reprocess config line 44: Deprecated option RhostsRSAAuthentication
    Aug 13 16:13:41 web02 sshd[4529]: Received disconnect from 127.0.0.1 port 54974:11: [preauth]
    Aug 13 16:13:41 web02 sshd[4529]: Disconnected from authenticating user wpsshupdate 127.0.0.1 port 54974 [preauth]

    I have hardened my ssh to accept only RSA4096 or Ed25519 keys if that might be causing the issue?

Viewing 14 replies - 1 through 14 (of 14 total)
  • I do not get those auth.log entries when I ssh localhost from the wpsshupdate user. It just works & uses the ssh-keys correctly.

    • This reply was modified 3 months, 3 weeks ago by joey2250.

    Also, I only allow the following:

    KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
    Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
    MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

    But since its ssh’ing to itself, you’d think it would work since the user itself can without issue.

    • This reply was modified 3 months, 3 weeks ago by joey2250.
    Plugin Author David Anderson

    (@davidanderson)

    The plugin has no facility to read key files; it can only use a username/password. It’s using the phpseclib library (https://github.com/phpseclib/phpseclib/); it’s not running /usr/bin/ssh, so isn’t picking up installed OpenSSH key files.

    I thought it did, the error message is being pulled from the section of code around Line 91 from https://github.com/wp-plugins/ssh-sftp-updater-support/blob/master/class-wp-filesystem-ssh2.php.

    $rsa->loadKey($this->options['private_key']);

    Is what lead me to believe this plugin supported SSH keys.

    Plugin Author David Anderson

    (@davidanderson)

    Sorry, you’re right, it does (I don’t use this plugin much and am not the original author – I just agreed to keep it up to date for him). Perhaps you’re putting the key in the wrong format? RSA is a key *type*, but that’s orthogonal to what key-file format you’re entering the key in.

    David

    No problem. I use the standard rsa_4096 key generated by ssh-keygen. It is the same one I used to test internally with ssh, but as a different file with more open permissions so the webserver has permissions to access it.

    I used the wp-config.php to define it, I even copied the private key and pasted it in the wordpress text area to test and it didn’t work.

    define(‘FS_METHOD’, ‘ssh2’);
    define(‘FTP_BASE’, ‘/var/www/wp-directory’);
    define(‘FTP_PUBKEY’,’/home/wpsshupdate/.ssh/wp_rsa.pub’);
    define(‘FTP_PRIKEY’,’/home/wpsshupdate/.ssh/wp_rsa’);
    define(‘FTP_USER’,’wpsshupdate’);
    define(‘FTP_PASS’,’******************hidden*******’);
    define(‘FTP_HOST’,’localhost’);

    I bet whatever it’s using for ssh then isn’t compatible with the more secure algorithms I have the SSH server limited to. That or it just doesn’t want to read a 4096-bit key.

    Plugin Author TerraFrost

    (@terrafrost)

    Original author here. 4096-bit RSA keys aren’t an issue. If I had to guess I’d guess that the key you’re using starts off thusly:

    -----BEGIN OPENSSH PRIVATE KEY-----

    If so then keys of that format were not supported until v0.8.2 of this plugin (the most recent version). Are you using that version?

    Also, encrypted keys in that format are not supported by the underlying library for technical reasons that https://github.com/phpseclib/phpseclib/blob/7012e724881ac479866d05e78dbe6fd25fe5a90b/phpseclib/Crypt/Common/Formats/Keys/OpenSSH.php#L94 elaborates upon.

    Plugin Author David Anderson

    (@davidanderson)

    You should also check if the user PHP is running as has read permissions on the indicated files.

    I am using version 0.8.2.

    The private key starts with:
    —–BEGIN RSA PRIVATE KEY—–

    The php user and the webserver are both using the custom user deploy, which has group access to read the /home/wpsshupdate/.ssh/wp_rsa file. This is a duplicate of the id_rsa file, but with more open permissions. The reason for that is the ssh server will not accept id_rsa for testing with group read permissions for the deploy user on it. I suppose I might get around this by having the deploy user be the ssh user, but I purposely set it up so that the deploy user cannot connect via ssh.

    • This reply was modified 3 months, 2 weeks ago by joey2250.

    And as far as I know, the keys are not encrypted & for sure, they do not have a passcode on them.

    Also, this is on Ubuntu 18.04, phpfpm-73, nginx 1.17.2, OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017, wordpress-4.9.10

    • This reply was modified 3 months, 2 weeks ago by joey2250.
    • This reply was modified 3 months, 2 weeks ago by joey2250.
    • This reply was modified 3 months, 2 weeks ago by joey2250.
    Plugin Author TerraFrost

    (@terrafrost)

    And as far as I know, the keys are not encrypted & for sure, they do not have a passcode on them.

    Encryption isn’t an issue given that the keys start off with -----BEGIN RSA PRIVATE KEY-----. It’s only an issue for keys starting off with -----BEGIN OPENSSH PRIVATE KEY-----.

    Anyway, I’d be willing to bet $10 that the underlying library is not due to the key being in an unsupported format. Maybe the issue is, as David Anderson hinted at, your permissions. You insist those are fine, but that would certainly explain what you’re seeing, none-the-less.

    I would suggest you provide me with the key and I can verify that the key is able to be loaded but that’s also basically giving me the credentials to your server as well. Can you create a key that you believe reproduces the issue that you’d be willing to share?

    If it is a legit issue with the underlying library I will pay you, via PayPal, $10 for finding that issue.

    I mean, I suppose it’s possible that the key is malformed. You can’t just base64 encode a random string and expect it to be loaded as an RSA key. I would not pay $10.00 for this. But I can’t make that determination without seeing a key that reproduces the issue.

    • This reply was modified 3 months, 2 weeks ago by TerraFrost.

    I have no problem providing the keys. id rather not do it publicly in these comments, but I can email them to you.

    I’d be willing to grant you access to my server if you cannot find out from that what the issue is.

    Plugin Author TerraFrost

    (@terrafrost)

    Works for me! My email address is terrafrost@php.net. I’ll try to take a look this evening and will provide you with status updates!

Viewing 14 replies - 1 through 14 (of 14 total)
  • You must be logged in to reply to this topic.