SFTP is not available for additional FTP users

Follow

Comments

12 comments

  • Avatar
    Permanently Deleted User

    This method seems to work with Plesk 12.x on CentOS 6.5, but not anymore with Onyx on CentOS 7. The user can still logon but is not chrooted, it has acces to the whole vhost!

    0
    Comment actions Permalink
  • Avatar
    Artyom Baranov

    Hello Tim,

    Changing the shell for an additional user to `/usr/libexec/openssh/sftp-server` only grants him the permission to connect over SFTP.

    That does not enable chrooted access and is not officially recommended.

    0
    Comment actions Permalink
  • Avatar
    Maik Vattersen

    Enable SFTP Login like below, let customers Browse the Filesystem.

    They are able to see other Domain and Systemfolders, but are unable to get into these Directories. BUT they can download Configs from /etc and other Paths!

    I didn't find a quick solution, to enable SFTP for Customers with chroot Environment. 

    0
    Comment actions Permalink
  • Avatar
    Taras Ermoshin

    Hi @Maik Vattersen !

    In Plesk, chrooted SFTP access is possible only for the subscription's system user.

    Additional FTP users of the subscription have the same UID as the system user, and because of that, the chrooted shell cannot be used for them, but only non-chrooted SFTP as described in this article.

    If you think SSH access for the additional FTP users is to be implemented in Plesk, feel free to create a feature request (or vote for an existing one) on the UserVoice portal. If a request gets many votes, it will be considered for implementing.

    As for not accessing files of other subscriptions and accessing configuration files in /etc and other locations, this behavior is expected - subscription directories have permissions 710 (drwx--x---), and the majority of the /etc subdirectories have the read permission for other users.

    0
    Comment actions Permalink
  • Avatar
    Serverfarm

    that bash script it doesn't work anymore, can you update?

    0
    Comment actions Permalink
  • Avatar
    Pavel Rozental

    Hello Serverfarm, 

    Thank you for the notice. Script was updated.

    0
    Comment actions Permalink
  • Avatar
    Digital Sparks Srl

    Hello, this bash script on my server produce only this operation: 

    # ./213912005_clone_shell.sh sdm3

    changing sdm3 shell from /sbin/nologin to /bin/false

    After this operation, the test has the same error: Received unexpected end-of-file from SFTP server.

    how can i solve?

    Thanks you all!

     

     

     

    0
    Comment actions Permalink
  • Avatar
    Francisco Garcia

    Hi Digital Sparks Srl,

    Please check first if the main FTP user has chroot shell in Domains > example.com > Web Hosting Access > Access to the server over SSH.

    I've just tested the script and works fine on my CentOS 7.

    Connection to example.com... Please wait.
    Connected to example.com.
    Starting SSH authentication...
    Trying SSH authentication GSSAPI_WITH_MIC...
    SSH GSSAPI_WITH_MIC authentication failed.
    SSH PUBLICKEY authentication failed.
    SSH PUBLICKEYAGENT authentication failed.
    Trying SSH authentication PASSWORD...
    SSH authentication success!
    SFTP connection started.
    SFTP session started!
    Opening directory /...
    Open directory command received
    Directory content listed

    0
    Comment actions Permalink
  • Avatar
    Digital Sparks Srl

    Hi, thanks! Now works but the user view ALL directory...Is possible to limit access to the only folder assigned?

    0
    Comment actions Permalink
  • Avatar
    Francisco Garcia

    Hi Digital Sparks Srl,

    Just put a directory home which is not /, for example: /httpdocs. The user with home /httpdocs won't be able to get on / or /logs, only /httpdocs/WhateverHere.

    Additional info here.

    0
    Comment actions Permalink
  • Avatar
    Digital Sparks Srl

    Hi Francisco, I did this procedure, inserting the directory (example "partecip").

    But from filezilla client the user can also navigate in other folders of the same level and / or previous ones. I would like to limit to the only and exclusive folder "partecip"

    Thanks for your consideration 

    0
    Comment actions Permalink
  • Avatar
    Francisco Garcia

    Hi Digital Sparks Srl,

    Then, please open a support request here, so that it's investigated properly since I couldn't reproduce the behavior you describe in my test env.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request