0

I am attempting to allow a wordpress installation to install plugins. I am not quite sure how to securely set the permissions of my wordpress installation. I think chown -R www-data on the entire installation would work, but I think that is insecure.

Instead I am attempting to allow wordpress to install plugins via sftp/ssh. In this tutorial on how to get that working, it shows that I would need to generate a key pair to keep on the server. I thought the whole point of key pairs is that you keep the public key on the server and the private key on the computer. I realize it is probably requiring this because the wordpress installer is on the server (the installer needs the private key) and the destination is the wordpress installation.

So am I being ridiculous requiring that my wordpress plugin installer script must ssh into a sub-directory of where it exists? If so, why are people raving about this as a secure way to install plugins?

If the better option is to set permissions, does anyone know how to securely set the proper permissions for my wordpress installation?

Thank you!

Tony
  • 4,213
  • 11
  • 35
  • 29
  • 1
    I believe the question is wrong. Your question seems less about Server-side SSH keys, and more about Wordpress specifically. – WerkkreW May 27 '09 at 18:19
  • wordpress is the specific application of my general question. replace wordpress with "any website code that needs upload access" – Tony May 27 '09 at 18:45
  • You should probably re-word your question to ask whether ssh keys are appropriate for this application of them. – Brent May 27 '09 at 19:21

2 Answers2

1

The way ssh key pairs work is that you keep the private key on the server, and give the public key to whoever you want to have access to it.

Ssh keys are about as secure as they come as far as the encryption goes. There are different viewpoints on whether having a public key stored on a hard drive is more or less secure than a memorized password. I think keys are better.

I can't give you any direction regarding the applicability of ssh to your wordpress application though.

Brent
  • 22,857
  • 19
  • 70
  • 102
1

That tutorial is a bit unclear, I think when they are say with 'setting up the server side key', they actually mean generating your public key and then uploading it to the server. So you would do this on your home machine, and then upload the public key to your server.

Kyle Brandt
  • 83,619
  • 74
  • 305
  • 448