Applicable to:
- Plesk
Symptoms
Providing a system user with an ability to add a key/log into a server using SSH public key does not work.
Cause
The home directory of each SSH user in Plesk is write-protected.
OR
Permissions of the file authorized_keys
are incorrect.
Resolution
Since Plesk 12.0.18 and above such functionality can be managed with SSH Keys Manager extension. Go to Home > Extensions > Extenstions Catalog and install SSH Keys Manage.
Note: Make sure that the file authorized_keys
has correct permissions. It should be accessible only by the owner:
$ ls -l ~/.ssh/authorized_keys
-rw------- 1 ftpuser psacln 399 Jul 15 2016 /var/www/vhosts/example.com/.ssh/authorized_keys
Alternatively, use the following workaround:
-
As root, edit
/etc/ssh/sshd_config
. Add this line or change an existing one to the following:# cat /etc/ssh/sshd_config | grep AuthorizedKeysFile
AuthorizedKeysFile .ssh/authorized_keys %h/private/.ssh/authorized_keysThis will make SSH search for
.ssh
directory in another directory namedprivate
for each user, not only for the root home directory. -
Save the file and restart the
sshd
:# service sshd restart
To use SSH public key customer has to add it in authorized_keys
file. It should be done as follows:
-
Log into customer account under provided SSH user and run these commands:
$ cd private
$ mkdir .ssh
$ echo "insert your SSH key here" > .ssh/authorized_keys $ chmod -R og-xrw .ssh - Make sure the owner and group are correct:
$ chown -R ftpuser.psacln .ssh
Comments
2 comments
Hi Faris,
Thank you for your input.
The article has been modified considering your recommendation.
This is very helpful.
But it needs to be made clear that when using the manual method (create .ssh and authorized keys in subscription's private directory), it is necessary to chown both .ssh and authorized_keys to ftpuser.root [or possibly ftpuser.psacln], where ftpuser = the ftp username shown on the page where you enable or disable ssh access for the subscription.
If this is not done, the authorized_keys file is not readable and an ssh key-based login will not be possible.
It would also be nice if it was made clear that you need to chmod og-xrw authorized_keys although this is hinted at right at the start, it is not as clear as some users might need it to be.
Please sign in to leave a comment.