Wordpress can't find ssh public and private key pair

Question

My server configuration is as follows: CentOS 5.8 (final) running Nginx.

I am using the SSH2 feature of Wordpress's plugin installer.

I have installed lib2ssh and it is working (Wordpress is acknowledging it exists).

The user (called playwithbits) I supplied to wordpress is chrooted and has the home directory of /home/nginx/domains/playwithbits/

The public and private keys are located in the directory /home/nginx/domains/playwithbits/keys/ and are named id_rsa.pub and id_rsa respectively.

I have copied the contents of id_rsa.pub to the file authorized_keys located in /home/nginx/domains/playwithbits/.ssh/

I haven't set a password for the key files. However Wordpress keeps returning the error:

Public and Private keys incorrect for playwithbits

I have supplied the following information to Wordpress

Hostname: localhost
Username: playwithbits
Password: Blank
Public key: /keys/id_rsa.pub //I have also tried the paths from server root
Private key: /keys/id_rsa

Here are the permissions I have set on the relevant folders and files:

drwx------ 2 playwithbits playwithbits 4096 Jun  8 11:25 .ssh
drwx------ 2 playwithbits playwithbits 4096 Jun  8 13:27 keys
-rw------- 1 playwithbits playwithbits  414 Jun  8 11:21 authorized_keys
-rw------- 1 playwithbits playwithbits 1.7K Jun  6 02:17 id_rsa
-rw-r--r-- 1 playwithbits playwithbits  414 Jun  6 02:17 id_rsa.pub

I have also attempted to connect in debug mode in which I get the following output:

Connection from 127.0.0.1 port 56674
debug1: Client protocol version 2.0; client software version libssh2_0.18 PHP
debug1: no match: libssh2_0.18 PHP
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.8
debug1: permanently_set_uid: 74/74
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes256-cbc hmac-sha1 none
debug1: kex: server->client aes256-cbc hmac-sha1 none
debug1: expecting SSH2_MSG_KEXDH_INIT
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
Received disconnect from 127.0.0.1: 11: PECL/ssh2 (http://pecl.php.net/packages/ssh2)
debug1: do_cleanup
debug1: do_cleanup

Does anyone know why I can't use public and private key to access? If I use the account's password instead wordpress is able to log in and perform updates.

Edit: In my sshd_config file I have the following rules:

Match group web-root-locked
         ChrootDirectory /home/nginx/domains/%u
         X11Forwarding no
         AllowTcpForwarding no
         ForceCommand internal-sftp
         AuthorizedKeysFile /home/nginx/domains/%u/.ssh/authorized_keys

playwithbits is a member of web-root-locked

Keys are per-session negotiation and should be referenced with the full path rather than the path relative to your ChrootDirectory. — Jeff Ferland, Jun 08 '12 at 14:21
@JeffFerland Thanks, although I have tried the full path also to no avail — George Reith, Jun 08 '12 at 14:35

score 4 · Accepted Answer · answered Jun 13 '12 at 20:12

4

Found the answer to this with some trial and error. The keys needed to be owned by the webserver instead of the user I am attempting to log in with.

chown nginx:nginx id_rsa
chown nginx:nginx id_rsa.pub

Now it works like a dream.

answered Jun 13 '12 at 20:12

George Reith

673
2
12
22

This confounded me - don't use ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub because the web server doesn't have read permission in ~/.ssh. Thus, you have to store these files outside ~/.ssh. They should probably not be writable by the web server user, but they must be readable by it. – Troy Sep 02 '15 at 06:11

Jeff Ferland · Answer 2 · 2012-06-08T14:20:26.750

3

My first instinct: id_rsa should be in ~/.ssh/

Apache may be be spawning all sorts of processes via fork, children, children of those, etc. For that, I'd find out what path Wordpress thinks its trying to open by using audit logging tools.

`auditctl -a entry,always -F arch=`arch` -F euid!=0 -S open`
`auditctl -a entry,always -F arch=`arch` -F euid!=0 -S stat`

Those should catch the attempt. You can find it by doing grep id_rsa on your audit log to see the attempted open. If that doesn't provide information, digging deeper with chdir monitoring and the like would be the path to go, but I'm pretty confident that the open syscall will catch this.

Once you know what it's trying to do, you can figure out if the path is relative to the user home directory, another user's home, the http root, the FS root, etc.

Update

This tutorial on using ssh for Wordpress updates shows using the full path to specify the key.

Wordpress ssh connection info

edited Jun 08 '12 at 14:20

answered Jun 08 '12 at 14:06

Jeff Ferland

20,547
2
62
85

Thanks for responding. I am using nginx not apache, `auditctl` returns `auditctl: command not found` in the terminal. The problem with the tutorials is they don't say whether it is chrooted or not although I have tried with both paths anyway. – George Reith Jun 08 '12 at 14:34
Well, nginx or apache, the same debugging will work. If you're on a Debian / Ubuntu system, `apt-get install auditd` will work. Otherwise, use your package manager of choice to install the audit facility and use it for debugging. – Jeff Ferland Jun 08 '12 at 14:37
Cheers, I installed the audit daemon however I can't run it `type=DAEMON_ABORT msg=audit(1339167282.636:9975): auditd error halt, auid=4294967295 pid=4504 res=failed`. Do you have any other suggestions? – George Reith Jun 08 '12 at 15:00
@GeorgeReith Well, let's try another route since that could be its own question. Is there any logging you can get from the client side? I looked closer at your debug logs and say they're from the SSH daemon. It seems to indicate that your client in Wordpress isn't trying to auth, probably because it can't find the proper ssh private key. Is there a debug mode or logging for that module you can use? Anything in the nginx logs? – Jeff Ferland Jun 08 '12 at 15:21
There's nothing in the Nginx logs about this, by module do you mean `libssh2`? It has no logs AFAIK and wordpress has built in functionality for it so all I get to see is wordpress's error message. – George Reith Jun 08 '12 at 15:45
Made an interesting discovery in my `/var/log/messages` when I attempt to SSH from wordpress it recieves the following two errors: `Jun 10 12:28:37 s1 suhosin[2174]: ALERT - script tried to increase memory_limit to 268435456 bytes which is above the allowed value (attacker '86.144.116.163', file '/home/nginx/domains/playwithbits/public/wp-admin/admin.php', l$` and `Jun 10 12:28:39 s1 sshd[2175]: error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key` I am unable to create an ecdsa key my system doesn't recognize `ecdsa` for some reason. – George Reith Jun 10 '12 at 11:31
Fixed the memory error by throttling wordpress's memory limit. However that didn't solve the issue. – George Reith Jun 10 '12 at 12:00

score 0 · Answer 3 · edited Jul 02 '12 at 06:09

0

Try this plugin. It lets you upload SSH private keys from your computer through the browser. Public keys aren't required.

edited Jul 02 '12 at 06:09

mgorven

30,615
7
79
122

answered Jun 08 '12 at 23:26

reqmontell

1

score 0 · Answer 4 · answered Oct 29 '15 at 17:26

For those using apache here's how I solved the permissions issue on Ubuntu 14.04

First add the user's group so apache:

usermod -a -G myuser www-data

Then all that was necessary was grant read permissions to the private key:

chmod g+r /home/myuser/.ssh/id_rsa

Wordpress can't find ssh public and private key pair

4 Answers4

Update

Linked