HOW-TO: SFTP on Plesk 7.5 Reloaded for Linux
As I’m transitioning from the current Ensim 3.1 server to a new server running Red Hat Enterprise Linux 3ES with Plesk 7.5 Reloaded, one very major issue came up. I refuse to use plain FTP for file transfers, always using SFTP, yet it wasn’t working on the new server. Not cool. Turns out you need SSH enabled on the account thereby granting the user shell access. Now I need multiple SFTP accounts, but I have no desire for them all to have shell access as well. After a bit of research I came across scponly which acts like a shell, yet restricts the user to using it only for SFTP/SCP, no command prompt at all. Plesk conveniently has a selection box for you to choose a shell when granting SSH access to user accounts, so after getting scponly installed, it’s now a piece of cake to grant SFTP/SCP access without giving shell accounts. Instructions after the jump for anyone looking to do the same.
change to superuser
To get things running you’ll need to switch to your superuser account.
su -
download and install scponly
(check for latest version numbers / filename)
wget http://www.sublimation.org/scponly/scponly-4.1.tgz
tar zxf scponly-4.1.tgz
cd scponly-4.1/
./configure
make
make install
add scponly to your shell list
First open your shell list for editing.
pico /etc/shells
Now add the following line to the end of the file.
/usr/local/bin/scponly
That’s it, now you can grant users SSH access and assign them sftp-server as their shell. If you prefer to assign the shell via the command line, the code below should do the trick.
/usr/sbin/usermod -s /usr/local/bin/scponly {username}
May 4th, 2005 at 10:49 pm
It would appear the accounts are not properly jailed by default, and the users are able to browse up a level and see what other domains are configured on your server. Fortunately they aren’t able to gain access to the other sites data directories, but I definitely need to fix this issue.
May 15th, 2005 at 1:27 pm
[...] If you haven’t already installed scp-only, check out my other post on the subject: HOW-TO: SFTP on Plesk 7.5 Reloaded for Linux.
Trackback ·
[...]
June 29th, 2005 at 7:01 pm
What do you mean by “pico /usr/libexec/openssh/sftp-server”? sftp-server is a binary executable file.
June 29th, 2005 at 10:48 pm
Guess I should have proofread that better, thanks for pointing that out. You are correct, sftp-server is a binary file, it’s the actual shell you want to use. The original post has been corrected.
July 2nd, 2005 at 2:29 pm
I’m not sure what I was doing back in May, /usr/local/bin/scponly is the shell you really want to be using. My original posting said /usr/libexec/openssh/sftp-server which actually worked and probably didn’t need scponly compiled or installed, scponly should be more secure. The non-jailed issue remains, I should have compiled scponly with the chroot features enabled, I’ll probably run through that and make another post later about that.
October 6th, 2006 at 10:11 am
This is a cool trick but I can’t use it without the accounts being properly jailed. Looking forward to any update you may have a chance to give, to complete this!
Thanks in advance
January 2nd, 2007 at 4:50 pm
[...] I’ve been using standard FTP for a while now, but recently I learned about the merit of using secure FTP or SFTP. When transferring files using standard FTP, the data (including login information) gets transmitted in plain text, so someone can conceivably intercept it and read it. If you use SFTP, the data gets encrypted so even if it’s intercepted when you’re sending it to your server, it won’t be readable. Getting started with this is pretty easy. When you’re logged into Plesk, navigate to the domain administration for the domain you’d like to do this for (this should really be done for every domain you use). Then go to ‘Setup.’ Under Preferences, you will see a dropdown menu for Shell access. For this, I just selected /bin/sh. Click OK and you’re done on the server end. Next, for whatever FTP client you use, for servertype, select SFTP. Your FTP client should now be able to connect to the server as SFTP and transmit data securely. There is also a way to setup SFTP without giving away Shell access. Read about it at TheOneAndTheOnly.com. [...]