Articles in this section

See more

SFTP does not restrict user to the subscription's directory

Avatar
Mikhail Shport
Updated
Follow
Plesk for Linux kb: technical ABT: Group A

Applicable to:

  • Plesk for Linux

Symptoms

  • /bin/bash (chrooted) is selected as a shell in Plesk > Domains > example.com > Access to the server over SSH

  • The restriction to the /var/www/vhosts/example.com is active in the SSH session:

    # ssh user@192.0.2.2
    bash-4.2$ echo -n 'SFTP restrictions '; [[ -e /httpdocs ]] && echo 'active' || echo 'inactive'
    SFTP restrictions active

  • The restriction is not active in the SFTP (it is possible to traverse to the real root):

    border_plus_2018-05-30_05_06_58-sftp___sitebuilder_10.39.81.93_-_FileZilla.png

Cause

Subsystem sftp is set to the internal-sftp in the SSHD configuration:

# grep sftp /etc/ssh/sshd_config | grep -v '^#'
Subsystem sftp internal-sftp

Note: internal-sftp is not compatible with the Plesk chrooted shell configuration for SFTP.

Resolution

Switch back to the default STFP subsystem:

  1. Connect to the server via SSH

  2. Comment out currently existing sftp subsystem configuration:

    Note: A backup will be placed to the /etc/ssh/sshd_config.bkp.

    # sed -i.bkp '/sftp/s/^/#/g' /etc/ssh/sshd_config

  3. Add the default binary path to the configuration:

    • Ubuntu/Debian:

      # echo 'Subsystem sftp /usr/lib/openssh/sftp-server' >> /etc/ssh/sshd_config

    • CentOS/RHEL-based:

      # echo 'Subsystem sftp /usr/libexec/openssh/sftp-server' >> /etc/ssh/sshd_config

  4. Check the SSHD configuration:

    # sshd -t

    Note: In case no output was returned, the configuration is correct.

  5. Reload the SSHD to apply new configuration:

    # service sshd reload

Note: Sometimes, it might be needed to rebuild chroot template to re-apply the settings.

Comments

3 comments

Sort by Date Votes
  • Avatar
    Alex (Edited )

    I have rebuilt chroot template, which added '/usr/libexec/openssh/sftp-server' -> '/var/www/vhosts/chroot/usr/libexec/openssh/sftp-server' , but i still can't connect via SFTP.

    FileZilla shows - FATAL ERROR: Received unexpected end-of-file from SFTP server

    WinSCP - Cannot initialize SFTP protocol. Is the host running an SFTP server?

    I am able to connect to the chrooted env. via ssh, with restrictions in place:

    bash-4.2$ echo -n 'SFTP restrictions '; [[ -e /httpdocs ]] && echo 'active' || echo 'inactive'
    SFTP restrictions active

    sftp subsystem is set to:

    Subsystem sftp /usr/libexec/openssh/sftp-server

    Any suggestions?

    Thank you

    0
    Comment actions Permalink
  • Avatar
    Francisco Roman Garcia Rodriguez

    Hi Alex,

    Please check if as root user, the SSHd service has the subsystem SFTP set properly at /etc/ssh/sshd_config.

    0
    Comment actions Permalink
  • Avatar
    Peter Long (Edited )

    What is the point to provide instructions to correct the "FATAL ERROR: Received unexpected end-of-file from SFTP server" problem to allow additional  ftp users only to discover the added ftp user has root access and the only solution is to provide instruction to switch back!!!

    https://support.plesk.com/hc/en-us/articles/360019156579?input_string=fatal+error%3A+received+unexpected+end-of-file+from+sftp+server

    Why cant Plesk just add additional ftp users without issues...? why is it so complicated having to search for a solution... mess about trying to figure how to modify the sshd_config file and then to discover its useless anyway you may aswell provide the administrators root password for the ftp user, I don't have this problem with Cpanel

     

     

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles