ssh-sftp-updater vs WordPress SSH2 support

The built-in functionality requires libssh2 be installed and a great many hosts do not. It’s not included by default with PHP either so even if you’re running your own server it’s just one extra step you need to take if you ever need to rebuild the server.

This plugin, in contrast, uses phpseclib to remove that dependency. This plugin will pretty much work on any host.

Also, the built-in functionality requires the private and public key both live on the local file system. With this plugin the key never touches the filesystem. Even if you upload it no temp file is created since all uploading with this plugin does is to copy the key contents to a hidden input field (hidden as of 4.2 since 4.2 introduced a modal with limited screen real estate). And you don’t need the public key either – just the private key. The public key can be extracted from the private key anyway.

More info:

https://phpseclib.sourceforge.net/ssh/compare.html

Thank you, that’s very informative.

Can you confirm that this plugin does only use SFTP, and not full SSH?

I would like to suggest that you add more documentation than simply “install and go”, since this plugin relies on the upgrade, plugins and possibly other folders being writeable by the SFTP user, and I had to discover this by the trial and error method, which shouldn’t be necessary.

Additionally, documenting how this plugin does nothing if WordPress decides that direct file updating is possible, whether that works or not, and that you can force this plugin to be used by setting the FS_METHOD variable to “ssh2”. I would have assumed that would have forced the built-in SSH2 support to take over. It’s just not clear.

Thanks for the great work.

Can you confirm that this plugin does only use SFTP, and not full SSH?

SFTP typically requires SSH but in a jail shelled environment you might not be able to do any shell commands.

That said, the plugin does currently do some SSH stuff for stuff like chgrp. It’s doing this because the built-in WordPress plugin does it (or did it when I initially implemented this plugin) and because, at the time of this plugins initial implementation, chgrp wasn’t something that phpseclib would let you do via SFTP (altho that is now no longer the case).

Practically speaking, tho, idk that WordPress does chgrp a lot if at all.

I would like to suggest that you add more documentation than simply “install and go”, since this plugin relies on the upgrade, plugins and possibly other folders being writeable by the SFTP user, and I had to discover this by the trial and error method, which shouldn’t be necessary.

I think what’d probably be better are run-time checks. eg. if you try to install and the directory isn’t writable an error appears.

Additionally, documenting how this plugin does nothing if WordPress decides that direct file updating is possible, whether that works or not, and that you can force this plugin to be used by setting the FS_METHOD variable to “ssh2”. I would have assumed that would have forced the built-in SSH2 support to take over. It’s just not clear.

Under what circumstances does direct file updating not work? I haven’t spent a great deal of time looking at how they implemented that.

I’m also not sure off hand how it works with FS_METHOD. Probably just the same way WordPress’s built-in functionality works. This plugin is /mostly/ a copy / paste of that element of Wordpres’s built-in functionality.