Plesk: Enable SFTP access for additional FTP users

By default only the main user of a domain can SFTP into a domain. Plesk does allow to add FTP users, but for some reason not for access over encrypted SSH. That makes the whole feature broken given today’s security standards that don’t allow plain FTP access anymore. In fact, FTP port 21 should be closed in the firewall! This guide helps you to properly set up the new user for secure access over SFTP.

How to fix

To allow an additional FTP user to access the site you need to manually define what they can do directly on the server.

  1. Create an additional FTP user in Plesk > Domains > domain.tld > FTP Access.
  2. Set the user’s Home directory to: / (with a subpath the chroot won’t work).
  3. Open a SSH session to your server.
  4. sudo nano /etc/passwd
  5. Find the line that starts with the username you wish the change. It is most likely at the bottom.

The line is formatted like this, notice the bold parts:

username:x:10016:1003::/var/www/vhosts/domain.tld:/bin/false
  • username – the name of the FTP user
  • 10016 – the system user ID (UID)
  • 1003 – the system group ID (GID)
  • /var/www/vhosts/domain.tld – the path assigned to the FTP user, leave it like that
  • /bin/false – the problem, login is blocked

Carefully change it to tell SSH that a chroot (jail) should be started for the user:

username:x:10016:1003::/var/www/vhosts/domain.tld:/usr/local/psa/bin/chrootsh

Save the file (ctrl x and then hit y and enter to confirm). Now open the domain’s /etc/passwd file that is read when the chroot session is started:

nano /var/www/vhosts/domain.tld/etc/passwd

At the bottom add a line like this:

username:x:10016:1003::/:/bin/bash
  • username – the FTP user
  • 10016 – the user ID (UID) from earlier
  • 1003 – the group ID (GID) from earlier
  • / – the home path of the user, relative to the domain path
  • /bin/bash – the normal Bash shell

And done! Login using SFTP should now be working, but remember you need to do this for each new additional FTP user.

Troubleshooting

To debug login issues, closely follow the secure and messages log files while doing the login. Hit ctrl c right after the (failed) login to end the log stream.

tail -Fn 0 /var/log/secure /var/log/messages

If you like this article or it helped you in some way, please consider a (small) donation to keep it online for others to find.

Related stuff

Leave a Comment

Your email address will not be published. Required fields are marked *