WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 3 years ago

Last modified 3 years ago

#10348 closed enhancement (maybelater)

Include PHP-based SSH2 layer for those without the SSH2 PHP extension

Reported by: blazerlocal Owned by: dd32
Milestone: Priority: normal
Severity: normal Version: 2.9
Component: Filesystem API Keywords: needs-patch 2nd-opinion
Focuses: Cc:

Description

I have two webhosts - webhost A and webhost B - and WP_filesystem has issues with both.

Webhost A

I have SSH/SFTP access but the ssh2 extension is not installed. Also, although I don't have FTP access, the ftp extension is installed (presumably so that I might connect to other FTP servers). As a consequence, all I'm prompted for are FTP settings that don't exist. In this particular case, a pure-PHP implementation of SFTP would be helpful. In fact, after doing a Google search, I've found such an implementation:

http://phpseclib.cvs.sourceforge.net/viewvc/%2Acheckout%2A/phpseclib/phpseclib/Net/SFTP.php

http://phpseclib.sourceforge.net/documentation/net.html#net_sftp

If Wordpress could include this, that would be very helpful. Wordpress already includes a pure-PHP implementation of FTP that doesn't require the ftp extension, so this is not without precedent.

Webhost B

I do not have an SSH account but the ssh2 extension is installed. I do, however, have an FTP account, but because Wordpress doesn't let you pick and chose which method you want to use, I can't use it. Wordpress is only prompting me for SFTP information and I believe it should instead be asking you which method you want to use - not auto-detect it.

If it were my own personal website, I'd just get a better host, but it's not - it's a website that I, in one case, am doing for my employer, and, in another case, a website I'm working on for a client. They want to control the servers on which their website is hosted and don't want to spend the time to actually customize them any more than they already have. It's annoying as hell, but it is what it is and there's not much I can do about it.

Besides, as I've already observed, Wordpress already partially caters to people with less than ideal webhosts. A good webhost would have the ftp extension installed, for example, yet Wordpress includes a pure-PHP implementation of FTP to cater to those who don't have a good webhost all the same. Why not do the same thing for SFTP?

Change History (23)

comment:1 ShaneF5 years ago

  • Component changed from General to Filesystem
  • Owner set to dd32
  • Status changed from new to assigned

Even I got confused...

comment:2 blazerlocal5 years ago

I'm confused, now, too... given that you're the only person who's responded to this bug report, I don't see how anyone else could have been confused by it?

And if something about my report is confusing, let me know - I'll try to rectify it.

comment:3 azaozz5 years ago

Yeah, looks like two tickets in one..

For the second server the preferred method can be set in wp-config with:

define('FS_METHOD', 'method_here');

This can be either 'direct', 'ssh', 'ftpext' or 'ftpsockets'.

comment:4 blazerlocal5 years ago

I think they're actually a little inseparable. Right now, if the fsockopen function is available and the ftp / ssh2 extensions aren't, FTP will be used automatically (see get_filesystem_method in wp-admin/includes/file.php). If you have an SFTP implementation that uses fsockopen, as well, then you have ambiguity. Do you do FTP or SFTP? The server could arbitrarily assume one over the other or it could present the user with a choice.

That said, I didn't know about the FS_METHOD constant - thanks!

comment:5 dd325 years ago

  • Milestone changed from Unassigned to Future Release
  • Type changed from defect (bug) to enhancement
  • Version set to 2.9

Webhost A

I have SSH/SFTP access but the ssh2 extension is not installed.

Then SSH access is not possible, Due to there being no Pure-PHP implementation of a SSH Filesystem client at the time of writing, I'll take a look at that Net_SSH2 module, But it seems like its a rather heavy Implementation of it.

Also, although I don't have FTP access, the ftp extension is installed

Then using FTP is not possible due to the server not supporting it.

Webhost B

I do not have an SSH account but the ssh2 extension is installed. I do, however, have an FTP account, but because Wordpress doesn't let you pick and chose which method you want to use, I can't use it. Wordpress is only prompting me for SFTP information and I believe it should instead be asking you which method you want to use - not auto-detect it.

The Screen for all FTP Methods(That includes SSH) has an option of which type of connection to use. "FTP, FTPS, SSH" (SSH only if its supported)

comment:6 dd325 years ago

If you have an SFTP implementation that uses fsockopen, as well, then you have ambiguity. Do you do FTP or SFTP? The server could arbitrarily assume one over the other or it could present the user with a choice.

FTPS != SFTP

While the UI doesnt show it very well, FTPS is only supported by the FTP Extension IIRC, the PHP implementations (theres 2 of them, one relying on Sockets, the other on fsockopen()) do not support FTPS (Thats Secure FTP). SFTP is obviously only supported by the SSH Extension at present.

comment:7 blazerlocal5 years ago

But it seems like its a rather heavy Implementation of it.

SSH is a rather heavy protocol. the server can use any number of encryption algorithms, public key algorithms, etc, and a client that doesn't support a good selection of them is useless as a client. besides, i would say openssh (as used by the ssh2 extension) is a heck of a lot more heavy an implementation of ssh than phpseclib. certainly it supports a lot more features. indeed, openssh is a superset of openssl and ssl and ssh have nothing to do with one another.

SFTP is obviously only supported by the SSH Extension at present.

that's what i'm proposing change.

The Screen for all FTP Methods(That includes SSH) has an option of which type of connection to use. "FTP, FTPS, SSH" (SSH only if its supported)

i don't think so... wp-admin/update.php calls WP_Filesystem() as defined in wp-admin/includes/file.php which in turn calls get_filesystem_method(). get_filesystem_method(), in turn, returns a string - not an array but a string. and methods aren't concatenated, either - it's just one method and that's it:

function get_filesystem_method($args = array()) {
	$method = false;
	if( function_exists('getmyuid') && function_exists('fileowner') ){
		$temp_file = wp_tempnam();
		if ( getmyuid() == fileowner($temp_file) )
			$method = 'direct';
		unlink($temp_file);
	}

	if ( ! $method && isset($args['connection_type']) && 'ssh' == $args['connection_type'] && extension_loaded('ssh2') ) $method = 'ssh2';
	if ( ! $method && extension_loaded('ftp') ) $method = 'ftpext';
	if ( ! $method && ( extension_loaded('sockets') || function_exists('fsockopen') ) ) $method = 'ftpsockets'; //Sockets: Socket extension; PHP Mode: FSockopen / fwrite / fread
	return apply_filters('filesystem_method', $method);
}

if $method isn't defined and the ssh2 extension is loaded (among other things), $method is set to 'ssh2' and is never overwritten or modified by any of the other lines. maybe the latest SVN lets you select the method you'd like to use but the latest released version of Wordpress does not.

comment:8 blazerlocal5 years ago

But it seems like its a rather heavy Implementation of it.

also not all of the files would even be necessary - SFTP.php does not require SSH1.php, for example. skipping out on pure-PHP SSH2 / SFTP because the implementation is "heavy" is rather like excluding PEAR from Wordpress under the fallacious assumption that you can't include any library from PEAR without including all of them. the irony, of course, being that wp-includes/wp-diff.php is derived from PEAR code (well, it was ripped from MediaWiki which in turn ripped it from PEAR).

comment:9 dd325 years ago

i don't think so... wp-admin/update.php calls WP_Filesystem() as defined in wp-admin/includes/file.php which in turn calls get_filesystem_method()

I know so.

Note this part of it: isset($args['connection_type']) && 'ssh' == $args['connection_type']

By "heavy" I meant the number of files+relative size of them. Honestly, I'd like to split the SSH into a plugin.. simply because its not used by many.. That doesnt mean its going to happen though.

I might try implementing this pure-php SSH2 as a plugin, Even if just to find if theres any downsides of it.. The only real reason why the pure-php ftp method is offered, is because a lot of people use FTP. not many use ssh. but we'll see where this takes us...

comment:10 dd325 years ago

  • Summary changed from WP_filesystem improvements to Include PHP-based SSH2 layer for those without the SSH2 PHP extension

Just found out PHP 5.3 isnt compatible with the SSH2 extension, And given it took me all day.. Looks like i'm looking into the PHP version sooner rather than later :)

comment:11 follow-up: centshonor4 years ago

It looks like this hasn't been fixed as of Wordpress 2.9 RC1. Hopefully it's still in the pipeline?

comment:12 in reply to: ↑ 11 nacin4 years ago

Replying to centshonor:

It looks like this hasn't been fixed as of Wordpress 2.9 RC1. Hopefully it's still in the pipeline?

It is currently an enhancement slated for a future release. Version 2.9 has been feature-frozen for some time. If you have a patch for a PHP-based SSH2 layer for those without the SSH2 PHP extension, that would help in getting it into 3.0.

comment:13 hakre4 years ago

It was mentioned earlier that this might be two tickets in one. I'd like to put the focus back on the file-system-method selection page within the admin. Is there still a bug that will prevent proper display for any of the scenarios describben here for Webhost A or Webhost B?

To give you a view: FTP is unsecure. That will lead to being dropped more and more on webhosts in the future which might make this problem here, which currently looks a bit isolated, more prominent. Offering a plugin looks very reasonable to me.

comment:14 hakre4 years ago

  • Keywords 2nd-opinion added

comment:15 hakre4 years ago

  • Keywords needs-patch added

comment:16 mengchu4 years ago

I don't suppose there's any chance Wordpress 3.0 will have this? I note Beta1 doesn't fix it..

comment:17 dd324 years ago

I don't suppose there's any chance Wordpress 3.0 will have this?

Absolutely no chance.. For 3.1 it'd require a user-submitted patch to add it. (As early as possible in the dev cycle). I will not be getting to this in 3.1 unless certain things change that makes me need it again.

comment:18 dd323 years ago

  • Milestone Future Release deleted
  • Resolution set to wontfix
  • Status changed from assigned to closed

I'm closing this as wontfix on the back of #16925

I feel that we should probably focus on getting more hosts to work with the Direct class, as well as targeting the majority of users to increase compatibility with the majority.

comment:19 blazerlocal3 years ago

  • Resolution wontfix deleted
  • Status changed from closed to reopened

I completely disagree with the whole "lets get more hosts to work with the Direct class" idea. The Direct class is a mess. You want hosts to use the Direct class? How about you get the devs of libssh2 to actively maintain it again? It took two years for it to start supporting PHP 5.3 and it only started supporting that when someone else came along and took it over from the old devs. And that they can make it compile doesn't mean they're going to be able to fix bugs with the implementation itself.

And the API just plain sucks. Private keys have to be saved on the filesystem to be loaded whereas with phpseclib all they need be is strings. You can take a key from $_POST without having to dump it to the filesystem as libssh2 requires. To top it off, libssh2 requires you have a separate file for the publickey, which is brain dead, since the private key *contains* the public key.

ssh2_exec(), from libssh2, also returns ANSI color codes and sometimes never returns output and sometimes does (it's inconsistent).

Finally, phpseclib is just plain faster:

http://kevin.vanzonneveld.net/techblog/article/make_ssh_connections_with_php/#comment_3759

Last edited 3 years ago by blazerlocal (previous) (diff)

comment:20 westi3 years ago

  • Resolution set to maybelater
  • Status changed from reopened to closed

Closing as Maybe Later.

For now we should encourage the development of a plugin which adds SFTP support.

When there is a good solution we can look at including it in core.

This is covered by #16925

comment:21 blazerlocal3 years ago

I hacked Wordpress to use phpseclib. You'll need to replace your class-wp-filesystem-ssh2.php with the following:

http://pastebin.com/iWq9UiP0

You'll then need to make the following changes:

http://pastebin.com/DBkNhap9

Only problem: when you perform an update all of this will be overwritten so you'll need to redo it for each update. A plugin would be better but this was faster to write. Maybe someone else can adapt it into a plugin or maybe the Wordpress devs can commit this to the main SVN repo.

Note that the phpseclib version doesn't require the public / private key be on the server - you can just copy / paste the private key (which includes the public key embedded within it) through an HTML form.

Last edited 3 years ago by blazerlocal (previous) (diff)

comment:22 dd323 years ago

blazerlocal: Thanks for that, My aim is to move all the ssh support into a plugin, supporting the extension and that library sounds like a good plan for the plugin.

comment:23 knuthmorris3 years ago

http://phpseclib.sourceforge.net/wordpress.htm

An SFTP plugin for Wordpress using phpseclib.

Note: See TracTickets for help on using tickets.