There are several ways of making a Wordpress installation more secure. One possibility is to ditch FTP and use a safe authentication, like SSH.
In Wordpress 4.1 there is embedded support for SSH authentication active - as long as the ssh2 php extension is loaded.
In Debian Wheezy this can be installed with the library libssh2-php:
apt-get install libssh2-php
After the installation, a restart of Apache activates the extension (which is defined in /etc/php5/conf.d/ssh2.ini):
service apache2 restart
However, no matter what I did, I couldn't get it to work in Wordpress.
I adapted file permissions, create a key pair with and without a password, verified manual ssh login with the key file, ... whatever I did, I always got this error:
Public and Private keys incorrect for wpuser
Where wpuser is the user I defined and which owns the wordpress folder.
There are several good howtos available which mention this error and which give potential resolutions:
But unfortunately, none of them could resolve the problem.
On the SSH layer I saw, that a connection came in, but the key authentication never happened. The connection was always terminated from the pecl side before the authentication could happen (in the preauth phase):
sshd: Connection from 18.104.22.168 port 36144
sshd: Found matching RSA key: aa:bb:cc:dd:ee:ff:gg:hh:ii:jj:kk:ll:mm:nn:oo:pp
sshd: Postponed publickey for wpuser from 22.214.171.124 port 36144 ssh2 [preauth]
sshd: Received disconnect from 126.96.36.199: 11: PECL/ssh2 (http://pecl.php.net/packages/ssh2) [preauth]
Could it be a bug in the Wordpress core? Or maybe is the libssh2-php version too old/buggy? After a frustrating and non-successful research about possible bugs, I tried it with an alternative, a plugin called "SSH SFTP Updater Support". And finally I got lucky!
Once I manually installed (unzipped and activated) the plugin, I was able to use the private/public key pair as authentication method. With or without password-protected private key, both setups worked.
In the SSH log, the successful authentication (and sftp download of a theme) is logged like this:
sshd: Accepted publickey for wpuser from 188.8.131.52 port 43559 ssh2
sshd: pam_unix(sshd:session): session opened for user wpuser by (uid=0)
sshd: subsystem request for sftp by user wpuser
sshd: Received disconnect from 184.108.40.206: 11:
sshd: pam_unix(sshd:session): session closed for user wpuser
Great WP plugin, well done and well working! Thanks to the author TerraFrost!
No comments yet.
Personal Internet VMware PHP Linux Shell Bluecoat Proxy Windows Hardware Virtualization Nagios MySQL DB Monitoring Mail Android Network Wyse Hacks Tomcat Postgres Apple Mac Backup BSD ZFS Solaris SmartOS Unix Multimedia Perl Database MongoDB CMS OTRS FreeBSD Wordpress LXC Nginx Proxmox DNS Graphics GlusterFS Security Chef HAProxy Icinga Ansible HTML MariaDB Containers Rancher Docker AWS ELK Kibana Logstash Filebeat Varnish PGSQL PostgreSQL ElasticSearch CouchDB Bash Macintosh Container Minio Grafana InfluxDB Databases NFS OSSEC SystemD Java Zoneminder Surveillance Elasticsearch SSL TLS Icingaweb2 Cloud Wireless Kubernetes Ubuntu