Title: SSH authentication Issue Last modified: August 13, 2019 --- # SSH authentication Issue * Resolved [joey2250](https://wordpress.org/support/users/joey2250/) * (@joey2250) * [6 years, 9 months ago](https://wordpress.org/support/topic/ssh-authentication-issue/) * I have a wpsshupdate user set up to allow SSH updating using this plugin. * I have a copy of the RSA-4096 SSH keys accessible by the webserver group. * I am able to ssh to localhost from the wpsshupdate user and successfully log in. * When I attempt to use the plugin to update I get: * > Private key incorrect for wpsshupdate > Make sure that the key you are using > is an RSA key and not a DSA key * When I look at my auth.log I see: * > Aug 13 16:13:27 web02 sshd[4529]: rexec line 18: Deprecated option UsePrivilegeSeparation > > Aug 13 16:13:27 web02 sshd[4529]: rexec line 25: Deprecated option KeyRegenerationInterval > Aug 13 16:13:27 web02 sshd[4529]: rexec line 26: Deprecated option ServerKeyBits > Aug 13 16:13:27 web02 sshd[4529]: rexec line 37: Deprecated option RSAAuthentication > Aug 13 16:13:27 web02 sshd[4529]: rexec line 44: Deprecated option RhostsRSAAuthentication > Aug 13 16:13:41 web02 sshd[4529]: reprocess config line 37: Deprecated option > RSAAuthentication Aug 13 16:13:41 web02 sshd[4529]: reprocess config line 44: > Deprecated option RhostsRSAAuthentication Aug 13 16:13:41 web02 sshd[4529]: > Received disconnect from 127.0.0.1 port 54974:11: [preauth] Aug 13 16:13:41 > web02 sshd[4529]: Disconnected from authenticating user wpsshupdate 127.0.0.1 > port 54974 [preauth] * I have hardened my ssh to accept only RSA4096 or Ed25519 keys if that might be causing the issue? Viewing 14 replies - 1 through 14 (of 14 total) * Thread Starter [joey2250](https://wordpress.org/support/users/joey2250/) * (@joey2250) * [6 years, 9 months ago](https://wordpress.org/support/topic/ssh-authentication-issue/#post-11828582) * I do not get those auth.log entries when I `ssh localhost` from the wpsshupdate user. It just works & uses the ssh-keys correctly. - This reply was modified 6 years, 9 months ago by [joey2250](https://wordpress.org/support/users/joey2250/). * Thread Starter [joey2250](https://wordpress.org/support/users/joey2250/) * (@joey2250) * [6 years, 9 months ago](https://wordpress.org/support/topic/ssh-authentication-issue/#post-11828688) * Also, I only allow the following: * > KexAlgorithms [curve25519-sha256@libssh.org](https://wordpress.org/support/topic/ssh-authentication-issue/curve25519-sha256@libssh.org?output_format=md), > diffie-hellman-group-exchange-sha256 > Ciphers [chacha20-poly1305@openssh.com](https://wordpress.org/support/topic/ssh-authentication-issue/chacha20-poly1305@openssh.com?output_format=md), > aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128- > ctr MACs [hmac-sha2-512-etm@openssh.com](https://wordpress.org/support/topic/ssh-authentication-issue/hmac-sha2-512-etm@openssh.com?output_format=md), > hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2- > 256,umac-128@openssh.com * But since its ssh’ing to itself, you’d think it would work since the user itself can without issue. - This reply was modified 6 years, 9 months ago by [joey2250](https://wordpress.org/support/users/joey2250/). * Plugin Author [David Anderson / Team Updraft](https://wordpress.org/support/users/davidanderson/) * (@davidanderson) * [6 years, 9 months ago](https://wordpress.org/support/topic/ssh-authentication-issue/#post-11839139) * The plugin has no facility to read key files; it can only use a username/password. It’s using the phpseclib library ([https://github.com/phpseclib/phpseclib/](https://github.com/phpseclib/phpseclib/)); it’s not running /usr/bin/ssh, so isn’t picking up installed OpenSSH key files. * Thread Starter [joey2250](https://wordpress.org/support/users/joey2250/) * (@joey2250) * [6 years, 9 months ago](https://wordpress.org/support/topic/ssh-authentication-issue/#post-11839156) * I thought it did, the error message is being pulled from the section of code around Line 91 from [https://github.com/wp-plugins/ssh-sftp-updater-support/blob/master/class-wp-filesystem-ssh2.php](https://github.com/wp-plugins/ssh-sftp-updater-support/blob/master/class-wp-filesystem-ssh2.php). * `$rsa->loadKey($this->options['private_key']);` * Is what lead me to believe this plugin supported SSH keys. * Plugin Author [David Anderson / Team Updraft](https://wordpress.org/support/users/davidanderson/) * (@davidanderson) * [6 years, 9 months ago](https://wordpress.org/support/topic/ssh-authentication-issue/#post-11839161) * Sorry, you’re right, it does (I don’t use this plugin much and am not the original author – I just agreed to keep it up to date for him). Perhaps you’re putting the key in the wrong format? RSA is a key *type*, but that’s orthogonal to what key-file format you’re entering the key in. * David * Thread Starter [joey2250](https://wordpress.org/support/users/joey2250/) * (@joey2250) * [6 years, 9 months ago](https://wordpress.org/support/topic/ssh-authentication-issue/#post-11839167) * No problem. I use the standard rsa_4096 key generated by ssh-keygen. It is the same one I used to test internally with ssh, but as a different file with more open permissions so the webserver has permissions to access it. * I used the wp-config.php to define it, I even copied the private key and pasted it in the wordpress text area to test and it didn’t work. * define(‘FS_METHOD’, ‘ssh2’); define(‘FTP_BASE’, ‘/var/www/wp-directory’); define(‘ FTP_PUBKEY’,’/home/wpsshupdate/.ssh/wp_rsa.pub’); define(‘FTP_PRIKEY’,’/home/ wpsshupdate/.ssh/wp_rsa’); define(‘FTP_USER’,’wpsshupdate’); define(‘FTP_PASS’,’****************** hidden*******’); define(‘FTP_HOST’,’localhost’); * Thread Starter [joey2250](https://wordpress.org/support/users/joey2250/) * (@joey2250) * [6 years, 9 months ago](https://wordpress.org/support/topic/ssh-authentication-issue/#post-11839177) * I bet whatever it’s using for ssh then isn’t compatible with the more secure algorithms I have the SSH server limited to. That or it just doesn’t want to read a 4096-bit key. * Plugin Author [TerraFrost](https://wordpress.org/support/users/terrafrost/) * (@terrafrost) * [6 years, 9 months ago](https://wordpress.org/support/topic/ssh-authentication-issue/#post-11839777) * Original author here. 4096-bit RSA keys aren’t an issue. If I had to guess I’d guess that the key you’re using starts off thusly: * `-----BEGIN OPENSSH PRIVATE KEY-----` * If so then keys of that format were not supported until v0.8.2 of this plugin( the most recent version). Are you using that version? * Also, encrypted keys in that format are not supported by the underlying library for technical reasons that [https://github.com/phpseclib/phpseclib/blob/7012e724881ac479866d05e78dbe6fd25fe5a90b/phpseclib/Crypt/Common/Formats/Keys/OpenSSH.php#L94](https://github.com/phpseclib/phpseclib/blob/7012e724881ac479866d05e78dbe6fd25fe5a90b/phpseclib/Crypt/Common/Formats/Keys/OpenSSH.php#L94) elaborates upon. * Plugin Author [David Anderson / Team Updraft](https://wordpress.org/support/users/davidanderson/) * (@davidanderson) * [6 years, 9 months ago](https://wordpress.org/support/topic/ssh-authentication-issue/#post-11841036) * You should also check if the user PHP is running as has read permissions on the indicated files. * Thread Starter [joey2250](https://wordpress.org/support/users/joey2250/) * (@joey2250) * [6 years, 9 months ago](https://wordpress.org/support/topic/ssh-authentication-issue/#post-11845293) * I am using version 0.8.2. * The private key starts with: —–BEGIN RSA PRIVATE KEY—– * The php user and the webserver are both using the custom user deploy, which has group access to read the /home/wpsshupdate/.ssh/wp_rsa file. This is a duplicate of the id_rsa file, but with more open permissions. The reason for that is the ssh server will not accept id_rsa for testing with group read permissions for the deploy user on it. I suppose I might get around this by having the deploy user be the ssh user, but I purposely set it up so that the deploy user cannot connect via ssh. - This reply was modified 6 years, 9 months ago by [joey2250](https://wordpress.org/support/users/joey2250/). * Thread Starter [joey2250](https://wordpress.org/support/users/joey2250/) * (@joey2250) * [6 years, 9 months ago](https://wordpress.org/support/topic/ssh-authentication-issue/#post-11845297) * And as far as I know, the keys are not encrypted & for sure, they do not have a passcode on them. * Also, this is on Ubuntu 18.04, phpfpm-73, nginx 1.17.2, OpenSSH_7.6p1 Ubuntu- 4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017, wordpress-4.9.10 - This reply was modified 6 years, 9 months ago by [joey2250](https://wordpress.org/support/users/joey2250/). - This reply was modified 6 years, 9 months ago by [joey2250](https://wordpress.org/support/users/joey2250/). - This reply was modified 6 years, 9 months ago by [joey2250](https://wordpress.org/support/users/joey2250/). * Plugin Author [TerraFrost](https://wordpress.org/support/users/terrafrost/) * (@terrafrost) * [6 years, 9 months ago](https://wordpress.org/support/topic/ssh-authentication-issue/#post-11846136) * > And as far as I know, the keys are not encrypted & for sure, they do not have > a passcode on them. * Encryption isn’t an issue given that the keys start off with `-----BEGIN RSA PRIVATE KEY-----`. It’s only an issue for keys starting off with `-----BEGIN OPENSSH PRIVATE KEY-----`. * Anyway, I’d be willing to bet $10 that the underlying library is _not_ due to the key being in an unsupported format. Maybe the issue is, as David Anderson hinted at, your permissions. You insist those are fine, but that would certainly explain what you’re seeing, none-the-less. * I would suggest you provide me with the key and I can verify that the key is able to be loaded but that’s also basically giving me the credentials to your server as well. Can you create a key that you believe reproduces the issue that you’d be willing to share? * If it is a legit issue with the underlying library I will pay you, via PayPal, $10 for finding that issue. * I mean, I suppose it’s possible that the key is malformed. You can’t just base64 encode a random string and expect it to be loaded as an RSA key. I would not pay $10.00 for this. But I can’t make that determination without seeing a key that reproduces the issue. - This reply was modified 6 years, 9 months ago by [TerraFrost](https://wordpress.org/support/users/terrafrost/). * Thread Starter [joey2250](https://wordpress.org/support/users/joey2250/) * (@joey2250) * [6 years, 9 months ago](https://wordpress.org/support/topic/ssh-authentication-issue/#post-11846736) * I have no problem providing the keys. id rather not do it publicly in these comments, but I can email them to you. * I’d be willing to grant you access to my server if you cannot find out from that what the issue is. * Plugin Author [TerraFrost](https://wordpress.org/support/users/terrafrost/) * (@terrafrost) * [6 years, 9 months ago](https://wordpress.org/support/topic/ssh-authentication-issue/#post-11846767) * Works for me! My email address is [terrafrost@php.net](https://wordpress.org/support/topic/ssh-authentication-issue/terrafrost@php.net?output_format=md). I’ll try to take a look this evening and will provide you with status updates! Viewing 14 replies - 1 through 14 (of 14 total) The topic ‘SSH authentication Issue’ is closed to new replies. * ![](https://s.w.org/plugins/geopattern-icon/ssh-sftp-updater-support.svg) * [SSH SFTP Updater Support](https://wordpress.org/plugins/ssh-sftp-updater-support/) * [Support Threads](https://wordpress.org/support/plugin/ssh-sftp-updater-support/) * [Active Topics](https://wordpress.org/support/plugin/ssh-sftp-updater-support/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/ssh-sftp-updater-support/unresolved/) * [Reviews](https://wordpress.org/support/plugin/ssh-sftp-updater-support/reviews/) * 14 replies * 3 participants * Last reply from: [TerraFrost](https://wordpress.org/support/users/terrafrost/) * Last activity: [6 years, 9 months ago](https://wordpress.org/support/topic/ssh-authentication-issue/#post-11846767) * Status: resolved