Wordpress can't find ssh public and private key pair
My server configuration is as follows: CentOS 5.8 (final) running Nginx.
I am using the SSH2 feature of Wordpress's plugin installer.
I have installed lib2ssh and it is working (Wordpress is acknowledging it exists).
The user (called playwithbits) I supplied to wordpress is chrooted and has the home directory of /home/nginx/domains/playwithbits/
The public and private keys are located in the directory /home/nginx/domains/playwithbits/keys/ and are named id_rsa.pub and id_rsa respectively.
I have copied the contents of id_rsa.pub to the file authorized_keys located in /home/nginx/domains/playwithbits/.ssh/
I haven't set a password for the key files. However Wordpress keeps returning the error:
Public and Private keys incorrect for playwithbits
I have supplied the following information to Wordpress
Hostname: localhost
Username: playwithbits
Password: Blank
Public key: /keys/id_rsa.pub //I have also tried the paths from server root
Private key: /keys/id_rsa
Here are the permissions I have set on the relevant folders and files:
drwx------ 2 playwithbits playwithbits 4096 Jun 8 11:25 .ssh
drwx------ 2 playwithbits playwithbits 4096 Jun 8 13:27 keys
-rw------- 1 playwithbits playwithbits 414 Jun 8 11:21 authorized_keys
-rw------- 1 playwithbits playwithbits 1.7K Jun 6 02:17 id_rsa
-rw-r--r-- 1 playwithbits playwithbits 414 Jun 6 02:17 id_rsa.pub
I have also attempted to connect in debug mode in which I get the following output:
Connection from 127.0.0.1 port 56674
debug1: Client protocol version 2.0; client software version libssh2_0.18 PHP
debug1: no match: libssh2_0.18 PHP
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.8
debug1: permanently_set_uid: 74/74
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes256-cbc hmac-sha1 none
debug1: kex: server->client aes256-cbc hmac-sha1 none
debug1: expecting SSH2_MSG_KEXDH_INIT
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
Received disconnect from 127.0.0.1: 11: PECL/ssh2 (http://pecl.php.net/packages/ssh2)
debug1: do_cleanup
debug1: do_cleanup
Does anyone know why I can't use public and private key to access? If I use the account's password instead wordpress is able to log in and perform updates.
Edit: In my sshd_config file I have the following rules:
Match group web-root-locked
ChrootDirectory /home/nginx/domains/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
AuthorizedKeysFile /home/nginx/domains/%u/.ssh/authorized_keys
playwithbits is a member of web-root-locked
Found the answer to this with some trial and error. The keys needed to be owned by the webserver instead of the user I am attempting to log in with.
chown nginx:nginx id_rsa
chown nginx:nginx id_rsa.pub
Now it works like a dream.
My first instinct: id_rsa should be in ~/.ssh/
Apache may be be spawning all sorts of processes via fork, children, children of those, etc. For that, I'd find out what path Wordpress thinks its trying to open by using audit logging tools.
`auditctl -a entry,always -F arch=`arch` -F euid!=0 -S open`
`auditctl -a entry,always -F arch=`arch` -F euid!=0 -S stat`
Those should catch the attempt. You can find it by doing grep id_rsa on your audit log to see the attempted open. If that doesn't provide information, digging deeper with chdir monitoring and the like would be the path to go, but I'm pretty confident that the open syscall will catch this.
Once you know what it's trying to do, you can figure out if the path is relative to the user home directory, another user's home, the http root, the FS root, etc.
Update
This tutorial on using ssh for Wordpress updates shows using the full path to specify the key.
