Applicable to:
- Plesk for Linux
Question
How to give limited SSH access to Plesk domain's system user?
Answer
Warning: SSH access allows the domain owner accessing the SSH interface under subscription's user account with non-administrative access. It can be provided only for system domain user. This type of access does not allow the user applying administrative commands and it cannot be used for applying instructions in other Plesk articles. In this case, the home folder for the user will be the same as specified in Plesk > Domains > example.com > Hosting Settings is provided.
Video instruction "How to provide SSH access for domain's system user"
Note: If the menus are different, upgrade to the latest Plesk version or contact server's administrator/hosting provider.
-
Go to Plesk > Domains > example.com > Web Hosting Access.
-
Set the appropriate user shell at Access to the server over SSH field (check this article to get information about different types of the shells):
Note: The non-selectable Forbidden value for non-admin users means that the Management of access to the server over SSH permission is set to Not allowed in the subscription and/or service plan settings by the service provider.
Follow instructions from this article to add such permissions to the subscription.
Values Forbidden, /sbin/nologin or /usr/sbin/nologin will restrict SSH access to a user, the rest of options will allow SSH access.
-
Click the OK button to apply changes.
-
To ensure that the SSH access is provided to the
john_doeuser do the following:-
Connect to the server via SSH.
-
Execute the following command:
# grep john_doe /etc/passwd
john_doe:x:10001:1003::/var/www/vhosts/example.com:/usr/local/psa/bin/sh
-
To provide SSH access to all Plesk users of subscriptions with the same service plan (only for Service Provider view), do the following:
Note: If the menus are different, upgrade to the latest Plesk version or contact server's administrator/hosting provider.
-
Set required environment in the Plesk > Service Plans > Default > Hosting Parameters > SSH access to the server shell under the subscription's system user drop-down list:
-
Go to Permissions tab in Plesk > Service Plans > Default and set Management of access to the server over SSH to Not Allowed in order to propagate new value to all already existing subscriptions:
If Management of access to the server over SSH is allowed, the change will not be propagated to existing subscriptions - only to newly created ones.
See Plesk Guide for more details: to preserve the modifications made by customers, Plesk does not sync a plan property if a related permission is granted.
-
Click the Update & Sync button to apply changes and synchronize subscriptions with the service plan.
-
To ensure that the SSH access is provided to the
john_doeuser do the following:-
Connect to the server via SSH.
-
Execute the following command:
# grep john_doe /etc/passwd
john_doe:x:10001:1003::/var/www/vhosts/example.com:/usr/local/psa/bin/sh
-
Note: The functionality to provide SSH access for a particular folder, like /var/www/vhosts/example.com/httpdocs/ or /var/www/vhosts/example.com/httpdocs/dir1 is not implemented in Plesk. Take part in our product improvement and vote for this feature on Plesk UserVoice.
The top-ranked suggestions are likely to be included in the next versions of Plesk.
Comments
11 comments
Hi, how do i allow permission to user over SFTP to only httpdocs folder not root?
@Umar Mughal
Hello!
Such functionality is not implemented in Plesk.
SFTP works over SSH and subscription users are able to access all files of subscription.
New features may be suggested here.
Alright Thanks!
Sorry, to ask this simple question. I executed the command with john_doe and got no output. Is the name john_doe only a placeholder for a real name (customer) or is john_doe himself a real account? I mean, does john_doe already exist by perhaps Plesk or Ubuntu 18 or do I have a greater problem with permissions?
Another important question is, which type of access is usually used by hosters? The first one (/bin/sh) or what do you suggest?
Hello @Markus,
john_doe is a placeholder, you should use the name of a subscription system user instead, it may be checked here:
> Another important question is, which type of access is usually used by hosters?
It depends on preferences, from my experience, the most common are:
Forbidden, /bin/bash and /bin/bash (chrooted)
Thank you very, very much for this support. Plesk and Plesk support is great.
@Markus Wernecke
Thank you for you kind words! We are always glad to help :)
If you disable Plesk SSH, how can you still provide SFTP access to the end user to upload the web content? Isn't it SFTP is part of SSH. If you disable SSH port, it will disable SFTP as well?
Our security team don't like SSH access open to the internet.
Hello @swang liao,
Thank you for your question.
If SSH is completely disabled on the server, then SFTP will not work as well.
However, it is possible to enable SFTP Without Shell Access if the additional configuration is done.
More information on this matter you may find on this 3party resource: How To Enable SFTP Without Shell Access
To improve the server security and continue using SSH, please check the following article: How to secure a Plesk server
The command produces an error:
-bash: username:x:10001:1003::/var/www/vhosts/domain.com:/usr/local/psa/bin/sh: No such file or directory
Hello Justin McMahon,
The command to put into a terminal window is the first line that starts with symbol "#", i.e. "grep john_doe /etc/passwd". The second line in the example is the resulting output.
Please sign in to leave a comment.