By default only the main user of a domain can SFTP into a domain. Plesk does allow to add FTP users, but for some reason not for access over encrypted SSH. That makes the whole feature broken given today’s security standards that don’t allow plain FTP access anymore. In fact, FTP port 21 should be closed in the firewall! This guide helps you to properly set up the new user for secure access over SFTP.
How to fix
To allow an additional FTP user to access the site you need to manually define what they can do directly on the server.
- Create an additional FTP user in Plesk > Domains > domain.tld > FTP Access.
- Set the user’s Home directory to:
/(with a subpath the chroot won’t work).
- Open a SSH session to your server.
sudo nano /etc/passwd
- Find the line that starts with the username you wish the change. It is most likely at the bottom.
The line is formatted like this, notice the bold parts:
username– the name of the FTP user
10016– the system user ID (UID)
1003– the system group ID (GID)
/var/www/vhosts/domain.tld– the path assigned to the FTP user, leave it like that
/bin/false– the problem, login is blocked
Carefully change it to tell SSH that a chroot (jail) should be started for the user:
Save the file (
ctrl x and then hit
enter to confirm). Now open the domain’s
/etc/passwd file that is read when the chroot session is started:
At the bottom add a line like this:
username– the FTP user
10016– the user ID (UID) from earlier
1003– the group ID (GID) from earlier
/– the home path of the user, relative to the domain path
/bin/bash– the normal Bash shell
And done! Login using SFTP should now be working, but remember you need to do this for each new additional FTP user.
To debug login issues, closely follow the secure and messages log files while doing the login. Hit
ctrl c right after the (failed) login to end the log stream.
tail -Fn 0 /var/log/secure /var/log/messages