Dear Calvin, Yes, it is true that PHP both owns and does not own the
ssh2 library (it is also true that the ssh2 library mailing list has
little experience with PHP, being mostly C or C++ programmers; I got no
solutions there).
But, please look at this issue from a slightly different point of view:
PHP definitely supports access to FTP. The FTP example (which works
perfectly) is at https://www.php.net/manual/en/ftp.examples-basic.php,
and this URL itself reveals that PHP owns the FTP functions, beyond any
doubt.
Now, the FTP functions use username and user password as the credentials
for authentication. How secure are these credentials? Assuming a strong
password, and assuming safe handling of that password, very secure.
But what if a malicious user gains access to the password file? Then the
mal can run a program to compare various strings against the password
file entry, which might not have a random salt MAC or similar good
security itself (Linux). And this is just one example of how a password
can be leaked. There are many others, including clever attacks using the
timing of operations!
For these reasons, people who do Web security are beginning to say that
FTP is not good enough. They are headed toward the position that we
should be using an RSA or similar public key system for file transfers
and deprecate FTP.
Well, that suddenly means that the obscure ssh2 library that nobody ever
cared about becomes quite important to PHP programmers, if they wish to
use PHP libraries and extensions (as they should).
So, it starts to be the case that the PHP maintainers need to consider
SFTP as an important migration pathway away from FTP, independent of
whether any libraries support it.
So we can say clearly that PHP needs to support SFTP functions on an
equal footing (that means well-documented and free of bugs) with FTP
functions.
Yet, in spite of this reasoning, the PHP project continues to disown
SFTP. This makes no sense to me.
Where are the PHP standards and futures people when we need them?
David
