:: TheOneAndTheOnly.com – Andrew Buckman ::

HOW-TO: SFTP on Plesk 7.5 Reloaded for Linux

Blogged in Plesk by Andrew · Tuesday May 3, 2005

As I’m transitioning from the current Ensim 3.1 server to a new server running Red Hat Enterprise Linux 3ES with Plesk 7.5 Reloaded, one very major issue came up. I refuse to use plain FTP for file transfers, always using SFTP, yet it wasn’t working on the new server. Not cool. Turns out you need SSH enabled on the account thereby granting the user shell access. Now I need multiple SFTP accounts, but I have no desire for them all to have shell access as well. After a bit of research I came across scponly which acts like a shell, yet restricts the user to using it only for SFTP/SCP, no command prompt at all. Plesk conveniently has a selection box for you to choose a shell when granting SSH access to user accounts, so after getting scponly installed, it’s now a piece of cake to grant SFTP/SCP access without giving shell accounts. Instructions after the jump for anyone looking to do the same.

change to superuser
To get things running you’ll need to switch to your superuser account.
su -

download and install scponly
(check for latest version numbers / filename)
wget http://www.sublimation.org/scponly/scponly-4.1.tgz
tar zxf scponly-4.1.tgz
cd scponly-4.1/
./configure
make
make install

add scponly to your shell list
First open your shell list for editing.
pico /etc/shells
Now add the following line to the end of the file.
/usr/local/bin/scponly

That’s it, now you can grant users SSH access and assign them sftp-server as their shell. If you prefer to assign the shell via the command line, the code below should do the trick.
/usr/sbin/usermod -s /usr/local/bin/scponly {username}

14 Responses to “HOW-TO: SFTP on Plesk 7.5 Reloaded for Linux”

  1. Andrew says:

    It would appear the accounts are not properly jailed by default, and the users are able to browse up a level and see what other domains are configured on your server. Fortunately they aren’t able to gain access to the other sites data directories, but I definitely need to fix this issue.

  2. [...] If you haven’t already installed scp-only, check out my other post on the subject: HOW-TO: SFTP on Plesk 7.5 Reloaded for Linux.

    Trackback ·

    [...]

  3. Daniel Drucker says:

    What do you mean by “pico /usr/libexec/openssh/sftp-server”? sftp-server is a binary executable file.

  4. Andrew says:

    Guess I should have proofread that better, thanks for pointing that out. You are correct, sftp-server is a binary file, it’s the actual shell you want to use. The original post has been corrected.

  5. Andrew says:

    I’m not sure what I was doing back in May, /usr/local/bin/scponly is the shell you really want to be using. My original posting said /usr/libexec/openssh/sftp-server which actually worked and probably didn’t need scponly compiled or installed, scponly should be more secure. The non-jailed issue remains, I should have compiled scponly with the chroot features enabled, I’ll probably run through that and make another post later about that.

  6. Allen says:

    This is a cool trick but I can’t use it without the accounts being properly jailed. Looking forward to any update you may have a chance to give, to complete this!

    Thanks in advance

  7. [...] I’ve been using standard FTP for a while now, but recently I learned about the merit of using secure FTP or SFTP. When transferring files using standard FTP, the data (including login information) gets transmitted in plain text, so someone can conceivably intercept it and read it. If you use SFTP, the data gets encrypted so even if it’s intercepted when you’re sending it to your server, it won’t be readable. Getting started with this is pretty easy. When you’re logged into Plesk, navigate to the domain administration for the domain you’d like to do this for (this should really be done for every domain you use). Then go to ‘Setup.’ Under Preferences, you will see a dropdown menu for Shell access. For this, I just selected /bin/sh. Click OK and you’re done on the server end. Next, for whatever FTP client you use, for servertype, select SFTP. Your FTP client should now be able to connect to the server as SFTP and transmit data securely. There is also a way to setup SFTP without giving away Shell access. Read about it at TheOneAndTheOnly.com. [...]

  8. Tom Coady says:

    This works perfectly if the plan is to lock yourself out: after trying the above all I get is WinSCP: this is end-of-file:0
    when I try ssh to my account :(

    • Andrew says:

      That is the plan Tom. The idea is to use it for accounts that you want to allow SFTP access for without allowing shell access. If you want shell access on the account you can pick any of the default drop-downs based on the shell you want to enable.

  9. Krishnan Nandabalan says:

    Hi,

    I have set up a domain in plesk and no problem getting access to the main directory by SFTP or FTP. But I cannot seem to get access to directories in subdomains or as a Webuser by SFTP (it works in FTP). The version of Plesk I am using is 8.2.0 (hosted by Network Solutions). I need to be able to give protected BUT limited access to certain directories to certain users.Any help in solvig thisis greatly appreciated.

    Thanks!

    • Andrew says:

      I’m afraid Plesk doesn’t support what you’re trying to do through the control panel at all. They only let you grant access to a shell for the main user of the site. You’d need to grant the proper access per account manually yourself, and you’re really going to want something that is chrooted if you go this route. You could easily grant a lot more access than you intend, so tread carefully. Also be warned that changes like that could very well could get overwritten by Plesk when you make other changes in the control panel.

      • Sthn says:

        I'm having the same problem, how would i "grant the proper access per account manually yourself" in plesk 8.2.0 hosted by network solutions? Could you explain it for me?

        Thank you.

        • Follow all the steps above to get scponly installed (note I'm sure the version has changed since I wrote that). The very last line in my instructions tells you how to manually assign the scponly shell to a user. There is no GUI for assigning a shell to a subdomain or web user, thus you will have to do it manually using that command line.

          If you ever edit that user in the control panel (even a password change), there's a good chance that Plesk will change the shell on you and you'll have to re-assign the scponly shell using that command.

          Please note I haven't tried this myself, so be sure to verify it's working as you intend.

  10. Troy says:

    Anyone get this working with scponlyc? I'm getting permissions denied on /usr/libexec/openssh/sftp-server binary. I've copied it into the jailed chroot /usr dir as well. scponly log level 2

    Jun 1 17:24:13 mirage sshd[11075]: Accepted password for totustesting from <IP> port 56765 ssh2
    Jun 1 17:24:13 mirage sshd[11075]: pam_unix(sshd:session): session opened for user totustesting by (uid=0)
    Jun 1 17:24:13 mirage sshd[11077]: subsystem request for sftp
    Jun 1 17:24:13 mirage scponly[11078]: chrooted binary in place, will chroot()
    Jun 1 17:24:13 mirage scponly[11078]: 3 arguments in total.
    Jun 1 17:24:13 mirage scponly[11078]: arg 0 is scponlyc
    Jun 1 17:24:13 mirage scponly[11078]: arg 1 is -c
    Jun 1 17:24:13 mirage scponly[11078]: arg 2 is /usr/libexec/openssh/sftp-server
    Jun 1 17:24:13 mirage scponly[11078]: opened log at LOG_AUTHPRIV, opts 0×00000029
    Jun 1 17:24:13 mirage scponly[11078]: determined USER is "totustesting" from environment
    Jun 1 17:24:13 mirage scponly[11078]: retrieved home directory of "/var/www/vhosts/<domain>.com/web_users/totustesting" for user "totustesting"
    Jun 1 17:24:13 mirage scponly[11078]: chrooting to dir: "/var/www/vhosts/<domain>.com/web_users/totustesting"
    Jun 1 17:24:13 mirage scponly[11078]: chdiring to dir: "/"
    Jun 1 22:24:13 mirage scponly[11078]: setting uid to 10023
    Jun 1 22:24:13 mirage scponly[11078]: processing request: "/usr/libexec/openssh/sftp-server"
    Jun 1 22:24:13 mirage scponly[11078]: Using getopt processing for cmd /usr/libexec/openssh/sftp-server (username: totustesting(10023), IP/port: <IP> 56765 22)
    Jun 1 22:24:13 mirage scponly[11078]: running: /usr/libexec/openssh/sftp-server (username: totustesting(10023), IP/port: <IP> 56765 22)
    Jun 1 22:24:13 mirage scponly[11078]: about to exec "/usr/libexec/openssh/sftp-server" (username: totustesting(10023), IP/port: <IP> 56765 22)
    Jun 1 22:24:13 mirage scponly[11078]: failed: /usr/libexec/openssh/sftp-server with error Permission denied(13) (username: totustesting(10023), IP/port: <IP> 56765 22)
    Jun 1 17:24:14 mirage sshd[11077]: Received disconnect from <IP>: 11: disconnected by user
    Jun 1 17:24:14 mirage sshd[11075]: pam_unix(sshd:session): session closed for user totustesting

Leave a Reply to andrewbuckman

©2010 Andrew Buckman
35 queries. 1.131 seconds.
Powered by Wordpress
theme based on desert by evil.bert