There are several ways of making a Wordpress installation more secure. One possibility is to ditch FTP and use a safe authentication, like SSH.
In Wordpress 4.1 there is embedded support for SSH authentication active - as long as the ssh2 php extension is loaded.
In Debian Wheezy this can be installed with the library libssh2-php:
apt-get install libssh2-php
After the installation, a restart of Apache activates the extension (which is defined in /etc/php5/conf.d/ssh2.ini):
service apache2 restart
However, no matter what I did, I couldn't get it to work in Wordpress.
I adapted file permissions, create a key pair with and without a password, verified manual ssh login with the key file, ... whatever I did, I always got this error:
Public and Private keys incorrect for wpuser
Where wpuser is the user I defined and which owns the wordpress folder.
There are several good howtos available which mention this error and which give potential resolutions:
But unfortunately, none of them could resolve the problem.
On the SSH layer I saw, that a connection came in, but the key authentication never happened. The connection was always terminated from the pecl side before the authentication could happen (in the preauth phase):
sshd[80647]: Connection from 123.45.67.89 port 36144
sshd[80647]: Found matching RSA key: aa:bb:cc:dd:ee:ff:gg:hh:ii:jj:kk:ll:mm:nn:oo:pp
sshd[80647]: Postponed publickey for wpuser from 123.45.67.89 port 36144 ssh2 [preauth]
sshd[80647]: Received disconnect from 123.45.67.89: 11: PECL/ssh2 (http://pecl.php.net/packages/ssh2) [preauth]
Could it be a bug in the Wordpress core? Or maybe is the libssh2-php version too old/buggy? After a frustrating and non-successful research about possible bugs, I tried it with an alternative, a plugin called "SSH SFTP Updater Support". And finally I got lucky!
Once I manually installed (unzipped and activated) the plugin, I was able to use the private/public key pair as authentication method. With or without password-protected private key, both setups worked.
In the SSH log, the successful authentication (and sftp download of a theme) is logged like this:
sshd[84084]: Accepted publickey for wpuser from 123.45.67.89 port 43559 ssh2
sshd[84084]: pam_unix(sshd:session): session opened for user wpuser by (uid=0)
sshd[84086]: subsystem request for sftp by user wpuser
sshd[84086]: Received disconnect from 123.45.67.89: 11:
sshd[84084]: pam_unix(sshd:session): session closed for user wpuser
Great WP plugin, well done and well working! Thanks to the author TerraFrost!
No comments yet.
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera Git GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Influx Internet Java KVM Kibana Kodi Kubernetes LVM LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Office OpenSearch PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder