[wp-trac] [WordPress Trac] #52409: Upload method SSH2 shouldn't use hardwired ssh-rsa hostkey

WordPress Trac noreply at wordpress.org
Mon Feb 1 06:16:26 UTC 2021


#52409: Upload method SSH2 shouldn't use hardwired ssh-rsa hostkey
----------------------------+------------------------------
 Reporter:  richybkreckel   |       Owner:  (none)
     Type:  defect (bug)    |      Status:  new
 Priority:  normal          |   Milestone:  Awaiting Review
Component:  Filesystem API  |     Version:
 Severity:  normal          |  Resolution:
 Keywords:  dev-feedback    |     Focuses:
----------------------------+------------------------------

Comment (by dd32):

 > I wonder if we need to set the algorithm at all? Can't we let SSH just
 negotiate one from it's set of supported algorithms?

 Looking at the docs, I don't see any requirement for it to be set, and I
 don't recall any need for it to be set, so removing it makes sense to me.

 All the examples of using key based authentication with SSH include it,
 but looking at the latest source for the ssh2 extension, it looks like
 it's optional, it could potentially just be a hold-over from when ssh-dsa
 certificates were common and considered old.

 If testing without it indicates that it still uses key authentication,
 then removal should be okay. If removal proves problematic, it could be
 updated to simply be `"ssh-rsa,sh-ed25519"` I think based on my reading of
 the libssh docs. Unsupported types by the libssh would be ignored.

 Note: I encourage everyone using the built in SSH to consider keeping in
 mind the [https://wordpress.org/plugins/ssh-sftp-updater-support/ plugin
 which offers a pure-PHP implementation of it], as the PHP extension has
 been known to have incompatibilities from time-to-time.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/52409#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list