Installing Magento Patches SUPEE-5344, SUPEE-1533 – Using SSH connection and running SH script

Category: Magento
Installing Magento Patches SUPEE-5344, SUPEE-1533 – Using SSH connection and running SH script

In this article we will cover the process of installing Magento patches (SUPEE-5344, SUPEE-1533). First we will go through generation of SSH key pairs, set up of SSH connection with shared hosting and finally running the update patch.

Recently I finished working on my first e-commerce project that was built using Magento. After launching the site I received “Critical Update” messages inside the admin panel.

Whenever a patch is released to fix an issue in the code, a notice is sent directly to your Admin Inbox. If the update is security related, the incoming message is coloured in red, and marked as a “Critical Update”.

Important: New Magento Security Patch - Install it Now
It is important for you to download and install a new security patch (SUPEE-5994) from the Magento Community Edition download page. Please apply this critical update immediately to help protect your site from exposure to multiple security vulnerabilities impacting all versions of the Magento Community Edition software. Please note that this patch should be installed in addition to the recent Shoplift patch (SUPEE-5344).

Prior to this message I received Security Patch notification for downloading and implementing 2 important security patches (SUPEE-5344 and SUPEE-1533).

I have never used SSH before and it was quite obscure for me how to apply these changes. I always use my local machine to build and test applications and then I always use FTP Client - FileZilla to upload my files to the server (in most cases Shared Hosting) or upload zipped file using hosting’s file manager and extract files there.

At the moment of writing this article I’ve done researches in order to find out what SSH is and how to update my Magento based web-store.

First of all I headed to Wikipedia to learn what does SSH stand for:

“Secure Shell, or SSH, is a cryptographic (encrypted) network protocol for initiating text-based shell sessions on remote machines in a secure way.

This allows a user to run commands on a machine's command prompt without them being physically present near the machine. It also allows a user to establish a secure channel over an insecure network in a client-server architecture, connecting an SSH client application with an SSH server. Common applications include remote command-line login and remote command execution, but any network service can be secured with SSH. The protocol specification distinguishes between two major versions, referred to as SSH-1 and SSH-2.”

SSH uses public-key cryptography to authenticate the remote computer and allow it to authenticate the user, if necessary. There are several ways to use SSH; one is to use automatically generated public-private key pairs to simply encrypt a network connection, and then use password authentication to log on.

Another is to use a manually generated public-private key pair to perform the authentication, allowing users or programs to log in without having to specify a password. In this scenario, anyone can produce a matching pair of different keys (public and private). The public key is placed on all computers that must allow access to the owner of the matching private key (the owner keeps the private key secret). While authentication is based on the private key, the key itself is never transferred through the network during authentication. SSH only verifies whether the same person offering the public key also owns the matching private key. In all versions of SSH it is important to verify unknown public keys, i.e. associate the public keys with identities, before accepting them as valid. Accepting an attacker's public key without validation will authorize an unauthorized attacker as a valid user.

Before proceeding with the creation of SSH key pair I discovered another article suggesting that it’s better to generate your own key on your machine and use that key anywhere you want to. This leads to having one unique key with your passphrase that you will be using in multiple places, so that you don’t have to keep separate keys for every SSH connection you might be using.

So before uploading SSH key (SiteGround requires DSA only) you have to generate the key pair.

In order to generate SSH key pair you have to open up Terminal and enter following command:

ssh-keygen -t dsa

Then you will be asked to which file you would like to have the key and you can just continue with hitting Return Key and the default file named “id_dsa” will be created in the users root directory under the folder “.ssh”. When the file is created you are asked to set passphrase. You can continue without setting a password but it’s recommended you set it for extra security reasons.

Now if you navigate to “.ssh” folder from your User’s root directory (.ssh folder is hidden and you can select Go to Directory and type .ssh there). Inside that directory you will find two files that were created – “id_dsa” and “id_dsa.pub”.

NOTE: if you still can’t navigate to .ssh folder in Terminal, paste the following: “defaults write com.apple.finder AppleShowAllFiles YES”, then relaunch finder by holding the ‘Option/alt’ key, then right click on the Finder icon in the dock and click Relaunch. You can read my article on Show/Hide Hidden Files On Mac OS X Yosemite to learn more about it or set at Terminal aliases.

Next the most obvious step to set up SSH/Shell Access on your account is to move your key to your hosting. There are two ways you can achieve that.

You have to copy your public key from “id_dsa.pub” file and proceed to the next step.

At SiteGround you can access Control Panel and navigate down to the “Advanced” section where you will find an icon with title SSH/Shell Access. As already mentioned above, you should copy DSA key that you generated on your machine to “Public Key (DSA only)” field and enter your IP Address under the “Upload SSH key” section. You can find your IP Address at www.whatismyip.com (there are many other similar websites).

Upload SSH Key

NOTE: In case your hosting doesn’t have the functionality of adding DSA Keychain the way SiteGround has, there is another way to add it to your account but I won’t cover it in this article.

Congrats! By now you should have generated your SSH keychain and set up it on your account. Now it’s time to establish the connection via SSH.

Using Terminal you could set up the connection via Shell Connection tab or directly type in Terminal:

You should load your private SSH key using the following command:

ssh-add /Users/mrGott/.ssh/id_dsa
Enter passphrase for id_dsa:
Identity added: id_dsa (id_dsa)

Then initiate the connection: ssh USERNAME@IP_ADDRESS -p PORT_NUMBER

USERNAME = Username of your hosting/FTP account
IP_ADDRESS = IP Address of your hosting/server

So to be more specific in my case I would do:
ssh This email address is being protected from spambots. You need JavaScript enabled to view it. -p 18765

18765 is the default port for connecting via SSH at SiteGround, 2222 is used by Hostgator on shared hosting and 22 is used by Hostgator on dedicated servers. In case you are using any other hosting provider you could contact the support to find out which port is used by them for SSH connections.

By now you should have accessed your server via SSH and in order to check whether you are in the right place you could use “ls” command that will list all contents of the folder that you are in.

The website will be located in “public_html” folder and to navigate to that folder simply type cd public_html and then do “ls” again to list the folder contents, to make sure that you are in the right place.

So far so good! Now we are ready to upload Magento patches to the root directory and install them.

Before we proceed you have to close current connection by just simply typing “exit” in the terminal.

In order to upload Patch files to your public_html folder first you have to navigate to directory where your patch files are located.

My files are located on my desktop so I type “cd /Users/mrGott/desktop” to change my root directory to desktop. Now I can address patch files directly as far as I’m in my desktop folder.

The command to upload file to server looks like this: “scp -P PORT_NUMBER FILE_NAME IP_ADDRESS:DESTINATION_FOLDER”.

So in my case it looks like this:
“scp -P 18765 PATCH_SUPEE-5344_CE_1.8.0.0_v1-2015-02-10-08-10-38.sh This email address is being protected from spambots. You need JavaScript enabled to view it.:~/public_html”
and I’ll do the same thing for the second patch by simply changing the Patch filename to "PATCH_SUPEE-1533_EE_1.13.x_v1-2015-02-10-08-18-32.sh".

As soon as you are finished with uploading the patch files now lets connect to the server using the command that we used previously: “ssh This email address is being protected from spambots. You need JavaScript enabled to view it. -p 18765” (change the parameters according to yours) and navigate to “public_html” directory.

Before you install the patch you have to change the file permissions on folders and files like this:

find . -type d -exec chmod 700 {} \;
find . -type f -exec chmod 600 {} \;

If your Magento installation is on a shared virtual server, you might need to begin each command as a sudo super administrator.

To list all files and folders and check whether permissions have changed you can use command “ls -l” to list contents of “public_html” directory with corresponding file permissions.

NOTE: In the official documentation - Installing Patch for Magento CE, it’s recommended to create a backup of your files before you apply changes. So in case you would like to create a backup follow instructions by Magento or simply go to your Control Panel of hosting and create backup there.

It’s show time!

To run the patch file you should use the command “sh FILENAME”, in my case it looks like this:

sh PATCH_SUPEE-1533_EE_1.13.x_v1-2015-02-10-08-18-32.sh
sh PATCH_SUPEE-5344_CE_1.8.0.0_v1-2015-02-10-08-10-38.sh

When you run these commands each at a time you should get messages as follows:

Checking if patch can be applied/reverted successfully...
Patch was applied/reverted successfully.

When the process is complete, remove the patch files from the public_html folder:

rm PATCH_SUPEE-1533_EE_1.13.x_v1-2015-02-10-08-18-32.sh rm PATCH_SUPEE-5344_CE_1.8.0.0_v1-2015-02-10-08-10-38.sh

Now when you are finished you have to get the file permissions back the way you had it.

So you have to run “chmod” commands that we did previously but with different permissions, like these (or whatever you prefer):

Magento recommends you to set file permissions as follows (run each line at a time):

find . -type f -exec chmod 400 {} \;
find . -type d -exec chmod 500 {} \;
find var/ -type f -exec chmod 600 {} \;
find media/ -type f -exec chmod 600 {} \;
find var/ -type d -exec chmod 700 {} \;
find media/ -type d -exec chmod 700 {} \;
chmod 700 includes
chmod 600 includes/config.php

But they didn’t work for me so I set my permissions to:

find . -type d -exec chmod 755 {} \;
find . -type f -exec chmod 644 {} \;

So this is it! Hopefully I didn’t miss anything and I hope that someday this article might help someone!