Summary
UPDATE : I kind of stopped using this way after other people started touching the same environment. Another reason I stopped doing this is that it is troublesome to compile Sass files and then upload it. It is better to do the dev work in your local environment with Git and then push it to WP-Engine's remote repository (Another page explaining about that).
So I wanted to use VS Code Remote SSH to amend the files in WP Engine, and I could not have done it even though the file /usr/local/etc/ssh/usermode_sshd_config
looks they let me do that.
# Tried this by using 2 SSH connections and that did not work
ControlMaster yes
LocalForward 127.0.0.1:12222 127.0.0.1:2222
======
channel 2: open failed: administratively prohibited: port forwarding is disabled for 127.0.0.1:2222
And therefore, I decided to attempt to establish SSH Reverse Port Forwarding from WP Engine to an Extra Server, and then use VS Code Remote SSH to connect to WP Engine through the Extra Server because I discovered that WP Engine has ssh
command :
[VSC Remote SSH]--->[Your PC]--->[Extra Server]--->[WP Engine]
Although that method worked, the preparation is troublesome. It may be better to use another VS Code Extension such as SFTP or do the coding work at another environment. Additionally, note that the connection gets cut off after 10 minutes :
WP Engine uses a sandboxed SSH “sidecar” that sits alongside your server with a timeout of 10 minutes.
UPDATE : I included ServerAliveInterval
to ~/.ssh/config
and that solved above issue.
UPDATE : I kept using VSC Remote SSH for awhile to do the dev work with WP Engine because I prefer applying the same way to do the dev work, and I have not got an issue so far.
Requirements
Another host, Extra Server, allowing you to SSH from WP Engine.
Although, this is fundamentally a copy-and-paste solution, you must be able to assemble this information to fit your own.
Steps
Add a new user at Extra Server to SSH from WP Engine
This user is used only for this purpose. If you want to reuse the existing user, you can skip this step.
sudo su -
# "rbash" restricts the user to perform things
adduser --shell /bin/rbash --ingroup nogroup wpe_pf
# Restrict the user more
cd /home/wpe_pf
chown root:root .bash_logout .bash_profile .bashrc .profile
# "readonly PATH=xxx" is like "const PATH = xxx;"
# restricting what the user can see
# ($HOME/bin does not exist)
echo "readonly PATH=$HOME/bin" > .bash_profile
echo "export PATH" >> .bash_profile
The following setting may make above redundant, but just in case:
/etc/ssh/sshd_config
or
/etc/ssh/sshd_config.d/101-wpe_pf.conf
======
# Avoid the user for WP Engine to do much but SSH
Match User wpe_pf
PermitTTY no
X11Forwarding no
PermitTunnel no
GatewayPorts no
# This does not work with "/bin/rbash"
# ForceCommand /usr/sbin/nologin
service ssh reload
exit
Create a new SSH Key
This key is used to connect to the Extra Server from WP Engine. If you want to reuse the existing key, you can skip this step.
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519.wp-engine-example -C "example@example.com"
Include what ~/.ssh/id_ed25519.wp-engine-example.pub
has to the file ~/.ssh/authorized_keys
on Extra Server.
Place 2 files at WP Engine
To begin, SSH to WP Engine via the terminal.
Copy the private SSH key ~/.ssh/id_ed25519.wp-engine-example
to /sites/example/_wpeprivate/id_ed25519.wp-engine-example
, and then run :
chmod 400 /sites/example/_wpeprivate/id_ed25519.wp-engine-example
and then create a new script (where ssh-ed25519 AAAAAAAAAAAA...
represents your public SSH key) :
/sites/example/_wpeprivate/ssh-reverse-pf.sh
======
#
# The copy of this script may be better to be kept in your PC
# in case you copied a WP Engine Environment from the one not having this script
#
# Location of the SSH file in WP Engine
SSH_AUTH_FILE=~/.ssh/authorized_keys
# SSH Private Key for Extra Server
SSH_IDENT_FILE=/sites/example/_wpeprivate/id_ed25519.wp-engine-example
# SSH Public Key for WP Engine
# Using the same key for Extra Server would be easier to manage
# because this script may get wiped out when copying the environment
# and the source environment does not have this script
SSH_PUB_KEY='ssh-ed25519 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA example@example.com'
SSH_SERVER=my_user@my-server.com
SSH_PORT=12222
chmod 600 $SSH_AUTH_FILE && \
echo "$SSH_PUB_KEY" >> $SSH_AUTH_FILE && \
echo "Establishing Reverse Porting Forwarding" && \
ssh -C -o StrictHostKeyChecking=accept-new -i $SSH_IDENT_FILE -R 127.0.0.1:$SSH_PORT:127.0.0.1:2222 $SSH_SERVER
and then change the permission :
chmod 700 /sites/example/_wpeprivate/ssh-reverse-pf.sh
and log out from WP Engine.
Amend ~/.ssh/config
Host *
PermitLocalCommand yes
Host wp-engine
HostName example.ssh.wpengine.net
User example
IdentityFile ~/.ssh/id_ed25519.wp-engine-example
Compression yes
ServerAliveInterval 60
RequestTTY yes
LocalCommand ssh-keygen -R "[localhost]:12222"
RemoteCommand /sites/example/_wpeprivate/ssh-reverse-pf.sh
Host extra-server
HostName extra-server.com
User my_user
IdentityFile ~/.ssh/id_ed25519.wp-engine-example
Compression yes
LocalForward 127.0.0.1:12222 127.0.0.1:12222
Host wp-engine-pf
HostName localhost
User wpe-user
Port 12222
IdentityFile ~/.ssh/id_ed25519.wp-engine-example
StrictHostKeyChecking accept-new
Note : If you need to handle multiple WP Engines, you may need to create multiple settings. For each additional setting, use a different port number instead of "12222" (which is used as an example in this article).
Log in WP Engine
ssh wp-engine
# OR
# Keep running with the infinite loop
# in case "ServerAliveInterval" does not work
# because it gets cut off every 10 minutes...?
while true; do ssh wp-engine; sleep 2; done
Above "ssh" command establishes SSH connection to WP Engine and then runs the script ssh-reverse-pf.sh
to establish another SSH connection to Extra Server.
That another SSH connection is initiated by WP Engine and it creates the port forwarding as to forward the data from Extra Server to WP Engine (SSH Server in WP Engine). Thus, it is called Reverse Port Forwarding as WP Engine initiates the SSH connection but the port forwarding is in other way round :
# "ssh" command
[Your PC]---SSH--->[WP Engine]
# The script "ssh-reverse-pf.sh"
[WP Engine]---SSH--->[Extra Server]
[Extra Server]---Port Forward--->[WP Engine]
Log in Extra Server
ssh my-server
This SSH is to forward the data from VS Code Remote SSH to Extra Server so that the extension can SSH to WP Engine :
[Your PC]------>[Extra Server]------>[WP Engine]
Connect to WP Engine with VS Code Remote SSH
Have the setting
Remote.SSH: Enable Remote Command
ticked.SSH to Your PC (with
wp-engine-pf
in this example).
[VSC Remote SSH]--->[Your PC]--->[Extra Server]--->[WP Engine]
ToDo
Create my first VS Code Extension who does the things above once the settings are created...?
Top comments (2)
Thank you! This is brilliant solution to a problem that WP Engine should fix. Perhaps they just want us to use Local? Unfortunately for me, Local doesn't work on multisite installations of WordPress.
Thank you for reading. I hope the solution works out at your side. I perceived they think we are supposed to be able to use VS Code Remote SSH out of the box.