HOW-TO: SFTP on Plesk 7.5 Reloaded for Linux
As I’m transitioning from the current Ensim 3.1 server to a new server running Red Hat Enterprise Linux 3ES with Plesk 7.5 Reloaded, one very major issue came up. I refuse to use plain FTP for file transfers, always using SFTP, yet it wasn’t working on the new server. Not cool. Turns out you need SSH enabled on the account thereby granting the user shell access. Now I need multiple SFTP accounts, but I have no desire for them all to have shell access as well. After a bit of research I came across scponly which acts like a shell, yet restricts the user to using it only for SFTP/SCP, no command prompt at all. Plesk conveniently has a selection box for you to choose a shell when granting SSH access to user accounts, so after getting scponly installed, it’s now a piece of cake to grant SFTP/SCP access without giving shell accounts. Instructions after the jump for anyone looking to do the same.
change to superuser
To get things running you’ll need to switch to your superuser account.
su -
download and install scponly
(check for latest version numbers / filename)
wget http://www.sublimation.org/scponly/scponly-4.1.tgz
tar zxf scponly-4.1.tgz
cd scponly-4.1/
./configure
make
make install
add scponly to your shell list
First open your shell list for editing.
pico /etc/shells
Now add the following line to the end of the file.
/usr/local/bin/scponly
That’s it, now you can grant users SSH access and assign them sftp-server as their shell. If you prefer to assign the shell via the command line, the code below should do the trick.
/usr/sbin/usermod -s /usr/local/bin/scponly {username}
May 4th, 2005 at 10:49 pm
It would appear the accounts are not properly jailed by default, and the users are able to browse up a level and see what other domains are configured on your server. Fortunately they aren’t able to gain access to the other sites data directories, but I definitely need to fix this issue.
May 15th, 2005 at 1:27 pm
[…] If you haven’t already installed scp-only, check out my other post on the subject: HOW-TO: SFTP on Plesk 7.5 Reloaded for Linux.
Trackback ·
[…]
June 29th, 2005 at 7:01 pm
What do you mean by “pico /usr/libexec/openssh/sftp-server”? sftp-server is a binary executable file.
June 29th, 2005 at 10:48 pm
Guess I should have proofread that better, thanks for pointing that out. You are correct, sftp-server is a binary file, it’s the actual shell you want to use. The original post has been corrected.
July 2nd, 2005 at 2:29 pm
I’m not sure what I was doing back in May, /usr/local/bin/scponly is the shell you really want to be using. My original posting said /usr/libexec/openssh/sftp-server which actually worked and probably didn’t need scponly compiled or installed, scponly should be more secure. The non-jailed issue remains, I should have compiled scponly with the chroot features enabled, I’ll probably run through that and make another post later about that.