Applicable to:
- Plesk for Linux
Question
The SSH Terminal extension is available in Plesk 18.0.37 and later. With this extension, the Plesk administrator can access the SSH console on behalf of the root user.
How to disable root access for the Plesk administrator?
Answer
By default, Plesk runs utilities or scripts on behalf of the root user in the following cases:
- When the Plesk administrator creates a scheduled task and selects to run it as root.
- When the Plesk administrator creates an event handler and selects to run the associated command as root.
- When the Plesk administrator and/or subscription owners use the SSH Terminal extension.
There are three ways to disable the root access:
$PRODUCT_ROOT_D/var/ directory. It is the most reliable way that disables the root access all-round: in scheduled tasks, event handlers, and SSH Terminal.- Log in to the server as root via SSH .
- Create an empty file named
root.crontab.lockin the$PRODUCT_ROOT_D/var/directory. This will prevent admin users from running cron tasks and viewing scheduled tasks to be run as root. - Create an empty file named
root.event_handler.lockin the$PRODUCT_ROOT_D/var/directory. This will prevent admin users from creating event handlers running as root. - Once you complete the two previous steps, SSH Terminal will not expose the root access.
NOTE: The $PRODUCT_ROOT_D is /usr/local/psa on RPM-based systems and /opt/psa on Debian-based systems.
panel.ini for the Plesk administrator only. This does not disable the root access in scheduled tasks and event handlers.-
Disable root access using the following panel.ini option:
CONFIG_TEXT: [ext-ssh-terminal]
rootAccessAllowed = false -
To avoid panel in redactions from the Plesk GUI add 'Panel.ini Editor' extension to the blacklist (it will be not possible to install it on a server) using the following panel.ini option:
CONFIG_TEXT: [extensions]
blacklist = panel-ini-editor
panel.ini. for both the Plesk administrator and subscription owners. This does not disable the root access in scheduled tasks and event handlers. Add 'SSH Terminal' and 'Panel.ini Editor' extensions to the blacklist (it will be not possible to install it on a server) using the following panel.ini option:
CONFIG_TEXT: [extensions]
blacklist = ssh-terminal, panel-ini-editor
Note: Plesk partners may blacklist the installation of this extension using the instruction.
Comments
14 comments
This is for Linux only, correct?
Are you sure that's the correct extension name for 'SSH Terminal'?
Sounds like normal users are currently able to have something run as root. Do you mean admins?
Grant root access by default, rather than having to choose to enable it, that makes sense...
How to disable this extension only for additional admin users?
Hello,
Panos Diotis yes, Linux only.
Damien Ransome thank you, fixed.
Lars Doe rephrased, thank you.
David Hubbard I'll pass the feedback. For now, in case different behavior is required, use the instructions above.
Kelvin Oliveira currently, these are the only options available. Feel free to suggest new functionality here.
Ivan Postnikov as already asked by someone else: is this the right configuration to blackilist the SSH terminal extension?
[extensions]
blacklist = panel-ini-editor
We do NOT want Plesk to install this extension on any of our servers full stop. Thanks.
Hello @burnleyvic
Thank you for bringing our attention to this confusing point in the article.
Article edited to avoid misunderstanding.
We disabling ext-panel-editor extension to restrict Plesk administrator possibility to edit panel.ini from Plesk GUI and dismiss the restrictions.
If you want to restrict SSH Terminal extension installation the following option should be added to panel.ini file:
[extensions]
blacklist = ssh-terminal
If you want additionally restrict Plesk administrator ability to edit panel.ini file from Plesk GUI it is required to restrict also panel-editor extension:
[extensions]
blacklist = ssh-terminal, panel-ini-editor
Just for make it totally clear. With this plesk extension, can i use this extension with SSH root disabled for accesing with an SSH client as putty?
Hello @Eomatica,
All actions provided in the article does not affect connections to the server via regular ssh clients such as putty.
I have 2 servers, same changes done on both. On one the `plesk-ssh-terminal` is disabled, on the other one not.
Any suggestions?
It should be mentioned that the "Extension needs to be uninstalled/removed first" so that the upper setting work properly.
Otherwise it's just hidden in the interface and it's still running in the backend. Tricky...
Hello @Andy B
As far as I know, the extension can be installed but can not be accessed after adding
[extensions]
blacklist = ssh-terminal, panel-ini-editor
If you know the path to use it despite the fact that it is disabled I will appreciate it if you will report this to security@plesk.com
@... yes, with the upper settings it cannot be accessed anymore; this is true. BUT it is still running in the background.
I was looking at a way to disable it completely(see here: https://talk.plesk.com/threads/why-is-plesk-ssh-terminal-running.362228/#post-898428). So the upper steps, disables the "interface", but not the service itself.
Please sign in to leave a comment.