• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Resolved What steps need to be taken to enable SSH root access through the SSH terminal extension?

Bitpalast

Bitpalast

Plesk addicted!
Plesk Guru
In the Plesk Facebook group I saw a post that a user cannot access SSH through the SSH terminal extension for root. We are expierencing the same on all servers although there are no entries in the Plesk configuration file(s) that SSH access for root shall be blocked.


pleskssh.jpg


What steps need to be taken to enable SSH root access through the SSH terminal extension?
 
This does not work. It may be the general Plesk setting to enable access for Plesk, but the SSH terminal still gives a "Permission denied". There seems to be an additional setting somewhere, maybe in the SSH service configuration, to allow a local client to connect?
 
Peter Debik said:
This does not work. It may be the general Plesk setting to enable access for Plesk, but the SSH terminal still gives a "Permission denied". There seems to be an additional setting somewhere, maybe in the SSH service configuration, to allow a local client to connect?
Click to expand...


Rootaccess for Admin is enabled by default.
support.plesk.com

How to disable root access via the SSH Terminal extension for the Plesk administrator?

Applicable to: Plesk for Linux Question The SSH Terminal extension is available in Plesk 18.0.37 and later. With this extension, the Plesk administrator can access the SSH console on behalf of t...
support.plesk.com support.plesk.com

So restart Plesk after changes should do the trick ;)
service sw-engine restart && service sw-cp-server restart
 
After more tests I found that the reason for the behavior is quite simple: By default we have disabled root login to SSH. This also applies to the Plesk SSH terminal service. In /etc/ssh/sshd_config:
Code: 
PermitRootLogin no

Now, we do not want to enable general root login just because - as admin - we want to use the SSH terminal login to the root level from within Plesk. So in /etc/ssh/sshd_config we leave the "PermitRootLogin no" untouched, but add these lines to the end of the file to only allow root logins from localhost, but not from foreign ip addresses:
Code: 
Match Address 127.0.0.1
PermitRootLogin yes
This creates an exception if the request comes from localhost. So we still have the extra security against external brute force attacks while we enjoy the comfort of the SSH terminal extension to login from the local machine.

Tested and works. However: The downside is that with this setting, each user (customer) on the system could try to brute-force against port 22 from localhost now to login with the "root" user name. So after all we have decided to remove the exception again and not to use the SSH termin functionality from within the Plesk admin GUI. There is no safe setting to allow the admin to login with root but to keep other local users from trying to brute-force against port 22 with a script on the local machine.
 
Thats interesting. Perhaps it be possible to have SSH run on two different ports and use something like:
Code: 
Match Address 127.0.0.1 LocalPort 1234
PermitRootLogin yes

That would tighten security a bit more. Although it is only security by obscurity and any local user can easily do a port scan for the second SSH port.

Also, this is just an idea from the top of my head, I have not tested this so this might not even work.
 
Last edited:
I had something similar on CentOS.

Turned out I also needed to add root to AllowUsers otherwise ssh would terminate every session when trying to login as root for plesk server migration
 
You must log in or register to reply here.

Similar threads

M
Issue Opening SSH Terminal in Plesk fails
Replies
9
Views
447
alvarezcruz
alvarezcruz
H
Question SSH user can see other subdomain directories even with chrooted shell?
Replies
3
Views
561
Raul A.
R
H
Resolved Unable to Disable Node.js Application in Plesk – App Remains Accessible
Replies
1
Views
899
HawkSky
H
F
Question Problems with ssh / Migrator / Keys
Replies
1
Views
1K
Peter Debik
P
A
Issue Weird side-effects when disabling root login
Replies
3
Views
2K
Peter Debik
P
Back
Top