3

I've followed this tutorial (which worked for me on several VPS's) to configure a secure way to install and update themes and plugins in Wordpress. Basically:

sudo adduser wp-user
cd /var/www
sudo chown -R wp-user:wp-user /var/www/
sudo su - wp-user
ssh-keygen -t rsa -b 4096
exit
sudo chown wp-user:www-data /home/wp-user/wp_rsa*
sudo chmod 0640 /home/wp-user/wp_rsa*
sudo mkdir /home/wp-user/.ssh
sudo chown wp-user:wp-user /home/wp-user/.ssh/
sudo chmod 0700 /home/wp-user/.ssh/
sudo cp /home/wp-user/wp_rsa.pub /home/wp-user/.ssh/authorized_keys
sudo chown wp-user:wp-user /home/wp-user/.ssh/authorized_keys
sudo chmod 0644 /home/wp-user/.ssh/authorized_keys
sudo nano /home/wp-user/.ssh/authorized_keys

from="127.0.0.1" ssh-rsa...

sudo apt-get update
sudo apt-get install php5-dev libssh2-1-dev libssh2-php
sudo nano /var/www/wp-config.php

Add:

define('FTP_PUBKEY','/home/wp-user/wp_rsa.pub');
define('FTP_PRIKEY','/home/wp-user/wp_rsa');
define('FTP_USER','wp-user');
define('FTP_PASS','');
define('FTP_HOST','127.0.0.1:22');

And finally:

sudo service apache2 restart

For some reason, I'm getting the message:

Public and Private keys incorrect for wp-user

Looking for an answer, I've seen this question, but none of the answers has worked for me.

First, I put the files into /home/wp-user directory, but also tried into /home/wp-user/.ssh. This is what I have right now:

ls -la /home/wp-user/.ssh

drwx------ 2 wp-user wp-user  4096 Mar  1 15:02 .
drwxr-xr-x 3 wp-user wp-user  4096 Mar  1 14:58 ..
-rw-r--r-- 1 wp-user wp-user   742 Mar  1 15:02 authorized_keys
-rw-r----- 1 wp-user www-data 3247 Mar  1 14:58 wp_rsa
-rw-r----- 1 wp-user www-data  742 Mar  1 14:58 wp_rsa.pub

And:

define('FTP_PUBKEY','/home/wp-user/.ssh/wp_rsa.pub');
define('FTP_PRIKEY','/home/wp-user/.ssh/wp_rsa');
define('FTP_USER','wp-user');
define('FTP_PASS','');
define('FTP_HOST','127.0.0.1:miCustomPortForSSH');

I can see this output on auth.log each time I try to connect:

Mar  1 14:37:51 vpsxxxx sshd[2430]: Set /proc/self/oom_score_adj to -800
Mar  1 14:37:51 vpsxxxx sshd[2430]: Connection from 127.0.0.1 port 56103
Mar  1 14:37:51 vpsxxxx sshd[2430]: Received disconnect from 127.0.0.1: 11: PECL/ssh2 (http://pecl.php.net/packages/ssh2) [preauth]

with different port each time:

Mar  1 14:38:16 vpsxxxx sshd[2435]: Set /proc/self/oom_score_adj to -800
Mar  1 14:38:16 vpsxxxx sshd[2435]: Connection from 127.0.0.1 port 56128
Mar  1 14:38:16 vpsxxxx sshd[2435]: Received disconnect from 127.0.0.1: 11: PECL/ssh2 (http://pecl.php.net/packages/ssh2) [preauth]

I'm using Apache2 and Nginx as proxy server, but log files doesn't reveal anything. Any idea?

Community
  • 1
Manolo
  • 552
  • 2
  • 8
  • 23
  • I'm having the exact same problem. Have you found a solution yet? – Can Sürmeli Jul 16 '15 at 01:08
  • No, I don't. Still using FTP :( – Manolo Jul 16 '15 at 08:02
  • Hey, I just solved my issue and answered it here. Hope it helps. If you need more assistance I'm more than happy to help. http://wordpress.stackexchange.com/questions/194529/public-and-private-keys-are-incorrect-for-user/195781#195781 – Can Sürmeli Jul 27 '15 at 18:55

6 Answers6

1

On two Debian 10 servers I had to add -m PEM parameter to ssh-keygen.

Otherwise the key worked when I used SSH from terminal, but it didn't work in Wordpress, resulting in the same disconnect message like the one that appeared in your log. Instead, ssh-keygen -m PEM -t rsa worked without any problem.

Also, I had to enable allow_url_fopen = On in PHP, otherwise Wordpress could not find wp-content directory.

Michal
  • 111
  • 1
1

It looks like the private key is too open as it is group readable. Try removing the group read permissions 

chmod g-r wp_rsa

and see how that goes.

user9517
  • 115,471
  • 20
  • 215
  • 297
1

If you are using the php_admin_value open_basedir directive at all, the keys need to be in a directory that is included in the paths listed.

IGB042
  • 21
  • 1
0

I'm using www-data as owner, adding the following line to wp-config.php solved it for me.

define( 'FS_METHOD', 'direct' );
Digweed
  • 1
  • 2
0

First poster is half right. SSH will reject your private key if it's readable by anything other than the owner group. However if the wp-user is the owner and only the owner can read the private key, then the server can't read it and you can't use the web-interface. Therefore you have to change the owner on both the public an private key. Here's how you fix this.

sudo chown www-data:www-data /home/wp-user/wp_rsa*
sudo chmod 600 /home/wp-user/wp_rsa

In defense of the author of the post you followed, that post was written for Ubuntu 12.04 and I know in my case I have a 14.04 install.

Also, the installation of the extra libraries and the modifications to the wp-config.php file are unnecessary on Ubuntu 14.04 and Wordpress v4.2.2 just FYI.

Kyle Francis
  • 1
  • If the user to use to upgrade is specified in the wp-config and it's the same who has the permission to read the keys, why then should the www-data user allowed to read the key? – foebu Mar 04 '17 at 11:37
  • Because the server is the one that needs to read the key in this case, even though it's the wp-user that's logging in. – Kyle Francis Apr 04 '19 at 23:47
-1

I encountered the same error message. @Manolo wasn't using a passphrase in the original question, but I was. I was able to get it to work after I generated ssh keys without a passphrase.

According to https://codex.wordpress.org/Editing_wp-config.php#Enabling_SSH_Upgrade_Access "It is recommended to use a private key that is not pass-phrase protected. There have been numerous reports that pass phrase protected private keys do not work properly."

Concrete Gannet
  • 109
  • 3