Private Key

I’m wondering why your plugin (which seems to be rated or reviewed as the only/or best SFTP utility) requires the server private keys vs public key.

That’s just how SSH public key auth works.

So let’s say you have an SSH server and an SSH client. You generate the public / private keypair and put the public key in the SSH server’s authorized_keys file.

To login the client first sends the public key corresponding to the private key to the server. The server either says yay or nay in response to that. If the server says yay then the session id is then signed by the private key and sent to the server. The server verifies the signature with the public key it has on file and lets you in if it succeeds in verification.

So the SSH client absolutely needs the private key. That’s just how SSH works.

The reason SSH was designed this way is so that the server doesn’t ever have to see the private key. If you just used the public key and didn’t do any signing with the private key it’d be analogous to a poorly protected password. ie. at least passwords are in theory shadowed / hashed / salted / whatever. authorized_keys aren’t.

If a malicious server were setup or the server compromised password auth would result in your password being compromised when you send it. With public key auth the private key is not compromised when you send the public key (and the public key is all you send anyway).

Now, in the case of this plugin, the SSH client and SSH server are on the same machine. There’s not much that can be done about that so long as you want WordPress to be able to update itself. To accommodate that the plugin doesn’t save the key to the filesystem or require the key live on the filesystem.

I suppose that’s not a perfect approach but a perfect approach would be… difficult.

Host key verification could be utilized. Maybe the host key could be stored in the SQL DB and checked every time you try to connect but an attacker could just update the DB.

And maybe the signature could be generated via the browser with JS instead of by the WordPress plugin but that presents it’s own problems as the session id is unique per SSH session. You create an SSH session, get the session ID and then to give the session ID to the browser you’d have to pretty much end the SSH session. Then when you reconnect to send the signed session id it won’t work because the session id of the new session will be different.

So if we were to establish a hierarchy of secure approaches it’d look something like this (weakest to strongest):

FTP
SFTP + auto updating wordpress
SFTP
nothing

Of course, this hierarchy doesn’t take into consideration the fact that an out-of-date wordpress is a security issue unto itself and hard-to-update WordPress’s will likely just not get updated.

Also is there any way to get logs from a failed transfer? The program connects in to my server and then boots out saying could not copy files when doing an Upgrade. Plugin installs work just fine on my end

In class-wp-filesystem-ssh2.php find this:

//define('NET_SFTP_LOGGING', NET_SFTP_LOG_REALTIME);

And uncomment it.

Thanks for the fast and knowledgable response, what format do you need the SSH key for your plugin to be? OpenSSH, Bitvise, SSH2/other?

For the record I’m using a windows based Bitvise SSH server, when I try and sign on with no SSH-key I get:

> NET_SFTP_INIT (0.001s)
00000000 00:00:00:03 ….

<- NET_SFTP_VERSION (0.3739s)
00000000 00:00:00:03 ….

-> NET_SFTP_REALPATH (0.0003s)
00000000 00:00:00:01:2e …..

<- NET_SFTP_NAME (0.1214s)
00000000 00:00:00:01:00:00:00:01:2f:00:00:00:01:2f:00:00 ……../…./..
00000010 00:0c:00:00:01:b0:51:db:00:97:00:00:00:00 ……Q…….

With a key I get when I logon with my wordpress test user the plugin tell me to ensure settings are correct.

Thanks for the fast and knowledgable response, what format do you need the SSH key for your plugin to be? OpenSSH, Bitvise, SSH2/other?

Pretty much any of these formats:

https://pastebin.com/t4TMDGuW

Those are the most commonly utilized key formats. If you’re using a key in another format let me know and I can consider adding support for it.

As for the log messages… could you change define('NET_SFTP_LOGGING', NET_SFTP_LOG_REALTIME); to //define('NET_SSH2_LOGGING', NET_SSH2_LOG_REALTIME); and tell me what you get?

Thanks!

Afternoon,

We managed to get our test user working just fine without the usage of private keys.

Food for thought, our server can generate keys in the following formats:
SSH2:

[ Moderator note: please wrap code or log lines in backticks or use the code button. ]

---- BEGIN SSH2 PUBLIC KEY ----
Comment: nicktest.ssh
AAAAB3NzaC1yc2EAAAABEQAAAIEA2BGdPFid5L1eBra9HsEltV5OTbGSvdIC+rUYkkFJ0xpz
B3Z2cM5RHNHbAyEeEaxeLO134y5tOrEpIewgHtquc9L1KpUtARGOugEDuwhBMXf67M9yKNQt
q9ajdTcztyDN41njo0zwtIBaHr11GZ/+cV4o+HnngEJ6DKpKLm5a5Ds=
---- END SSH2 PUBLIC KEY ----

Open SSH Format:
ssh-rsa AAAAB3NzaC1yc2EAAAABEQAAAIEA79i5L1raem+IYQ2FT5fkbQrg8hkdJfjeKM795tu7EHw9An6+nRcpxelsPk5cXOBWtQs6oYmnTJMRTqU37w/ef1RBU/oYtPzeK8WaYmI6juNhXYVEI9QUUVr/q2wPXa5g/eZfI7Q5cFKX8RoGVuPYUERog3HFX3/sS9OuRFxyIJM= nicktest.ssh

And lastly bitvise format which is encrypted: See https://www.bitvise.com/existing-customers
https://www.bitvise.com/ssh-server-guide-public-key