Subject: Re: Request for help for beginner, thanks!

Re: Request for help for beginner, thanks!

From: Dan Fandrich <>
Date: Thu, 21 Jan 2021 08:51:17 -0800

On Mon, Jan 18, 2021 at 02:13:15PM -0500, David Spector wrote:
> Thank you for taking the time to share your opinions. They certainly differ
> from mine, and deserve a thoughtful response.
> "Try getting one of the example programs working in a simplified case then
> only then alter it."
> That is EXACTLY what I tried to do in my last posting! I took the existing
> example and tried to use it, unaltered. It did not work.
> I'm not asking others to help me debug my code (which is actually valid,
> too). I'm asking (again and again) for a working example that uploads a file
> using a private key, nothing else. I am fully capable of modifying it myself
> once I have it.

There's nothing wrong with asking for help, but your request listed nine
highly specific requirements of a result that would be acceptable to you.

> Why, then, are you so emphatic in stating, twice, that I must hire another
> programmer to use the ssh2 functions? I believe the answer is that you are
> extremely defensive, probably because you are personally responsible for
> much of that code and believe that you have also documented the library
> fully. Somehow you have construed my innocent and somewhat desperate
> question as an attack on your baby.

Your message came across to me more as a Request For Quotation than a plea for
help. There are many examples of PHP code using libssh2 and cURL and they
aren't all broken. I, of course, have no idea how much effort you've already
put into this, but I got the impression that you hadn't exhausted reasonable
efforts to help yourself first. And please don't try to tell me what I believe.

> Better to say nothing than to insult someone who has asked so sincerely for
> help, and has followed up each reply as conscientiously as I have.

I did not mean to insult you, and I'm sorry that you took it that way. But you
also need to take care not to insult us and our valuable time by asking us to
write your code for you, and that's what I got from your message. I also saw no
indication you investigated my suggestion of using libssh2 through cURL. I just
ran the simple PHP cURL code given in the Stackoverflow link I provided you
(verbatim, except using local paths), and it uploaded a file with sftp, using
libssh2, from a local file, from a local private key file, via a local server
URL in a browser, without prompting the user while silently uploading the file.
That's 7 or 8 of your 9 criteria. Leaving the rest as an exercise to the
reader didn't seem unreasonable to me.

> Has anyone in the world succeeded in uploading a file using ssh2? I'm
> beginning to think not. Else why would it take so many days to find a
> working example?

Certainly they have, using libssh2 with cURL, at least. I've never had the need
for the low-level control that using libssh2 gives you directly compared to
libcurl, and even less often the need to use it through PHP, so I can't given
an answer on that.

> All I am asking is for the same example as FTP but that works securely,
> using sFTP. Am I not being reasonable? If not, why not?
> I have found this library to have been documented at an inferior level to
> other libraries and function categories, mainly in that its primary example
> does not work, and that there is no clear and working example of using sFTP
> with a private key, and also because of its use of unclear jargon in many
> function descriptions (example: the words "key" and "password" actually can
> apply to two or more different parameters of the sFTP protocol; the
> documentation uses them ambiguously).

Documentation is seldom good enough for any software, but there are 11 example
programs using sftp included within libssh2 itself and many more elsewhere on
the Internet. The ssh protocol is complicated and the libssh2 documentation
doesn't try to teach that. The advice given here on many occasions is to go
read the SSH RFCs to understand the protocol before trying to use libssh2. The
API makes a lot more sense having a base understanding of the protocol itself.

> If it is indeed true, as you seem to be implying, that neither you nor
> anyone else on this mailing list has written simple code to upload a file, I
> am astounded. How is it possible to implement an entire security library,
> claiming to implement sFTP as a substitute for FTP, yet never to have
> written simple and working code that uses it? For, if you had, you could
> simply find that working code on your computer and share it with me instead
> of attacking me and/or the nature of my question.

I have no idea where you're getting any of this impression from. I've pointed
you to code that uploads a file in almost exactly the way you asked for, given
you to the libssh2 option that does the remaining 12% and pointed you to
example code using the libssh2 API for sftp. If this is an attack, then
clearly, there's a communication gap here.

> Did the ssh2 library really get released without a thorough test suite that
> includes uploading a file? Horrors.

You seem to be confusing libssh2, a C library, with the PHP binding to libssh2.
This forum is for the former, not the latter. I don't think you'll find many
people with PHP experience here, as you're probably already discovered. Perhaps
that's the source of some of your frustration. libssh2 is a C library that
someone else has wrapped in PHP, and this is (I hope) not the best place for
information on the latter.

> I am not asking for anyone to design an entire program for me. I'm only
> asking (again and again and again) for a simple working example of sFTP code
> using functions that are documented in the PHP Manual (working means the PHP
> output is included and the file was indeed uploaded).

Take another look at the link I sent. There are 17 lines of PHP code there that
do 78% of what you ask for.

> Surely you don't believe that modern cryptographic methods should be kept
> secret because you believe that secrecy enhances their cryptographic
> security? I hope not, because it is a cornerstone of modern cryptography
> that its methods be made fully public.

My argument is exactly the opposite--that this information isn't secret and is
already out there for you.

> And, finally, if the ssh2 library cannot actually upload a file using a
> private key, which I am beginning to suspect, this important fact should
> simply be admitted and documented. Then we can turn to cURL, phpseclib, or

I think the more than hundreds of thousands of Debian users alone with libssh2
installed would beg to differ.

> other solutions instead of banging our head against the wall with the PHP
> ssh2 library.

The PHP libssh2 binding is a completely different question. I, and probably
most people here, can't say much about that.

Received on 2021-01-21