• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue Additional FTP accounts fatal error over SFTP: Received unexpected end-of-file from SFTP server

j-241534

New Pleskian
Steps taken:

Go to domains -> select my domain (ie. domain.com) -> click FTP access -> click "+ Add an FTP Account". Fill out FTP Account Name, Home Directory, Password/Confirm Password. No other fields are displayed. In my case I need to specify a home directory folder, so I did. The first time, I created the folder first manually and selected it (forget which user/permissions). The second time I just typed a non-existing folder name in and it created it for me.

It creates the user but then I can't connect via filezilla over SFTP, I get:

Error: FATAL ERROR: Received unexpected end-of-file from SFTP server
Error: Could not connect to server

2 questions:

How to fix this, so I can use the newly created account.

Can I make this account work over FTPS (FTP over tls/ssl). It seems there is nothing listening to port 21 on the server.

What I did:

I followed a tutorial which had me edit /etc/passwd, I found the line for the newly created user, I changed /bin/false to /usr/local/psa/bin/chrootsh

Then it wanted me to go to /var/www/vhosts/domain.com/etc, create a passwd file, and add the line: new-user-name:x:10000:1003::/:/bin/bash

/var/www/vhosts/domain.com didn't contain an etc folder, so i create it, with the same primary user that is tied to the domain (who is not the root user).

I also found an /etc directory in /var/www/vhosts/system/domain.com and /var/www/vhosts/chroot, so I added the passwd file in both those places also. But I'm still getting the same error message. I can't remember if I skip the first step (editing /etc/passwd) if that changes the error message or not.

Version information:

Plesk Obsidian Web Host Edition
Version 18.0.40 Update #3
 
That actually did work for me, mostly.

In case the article link gets broken, what I did was, in etc/ssh/sshd_config, replace the line "Subsystem sftp /usr/libexec/openssh/sftp-server" with "Subsystem sftp internal-sftp". (and then restarted sshd service)

Now I can connect via SFTP using the new account, and it puts me in the right folder. However, I can also browse folders outside of it, which wasn't intended. Kind of defeats the purpose of specifying the "Home directory" for the user doesn't it? I thought the home directory would limit the user to that directory.

Maybe it has something to do with the changes I made to the other files (linux noob here, it's all just magic to me).

Lastly, for this to be of any use for me right now, I need it to work over FTPS (ie. FTP over tls/ssl). I guess it only supports SFTP out of the box?
 
I reverted the initial things I did (changes to /etc/passwd, /var/www/vhosts/domain.com/etc/passwd, and /var/www/vhosts/system/domain.com/etc/passwd), and restarted sshd service, and no changes. Things still work the same as after doing the /etc/ssh/sshd_config change.
 
@j-241534 FWIW We don't use FTP or FTPS at all. We only use SFTP (for enhanced security) and SFTP access is via Private / Public Key access only. There's no password access at all & no Pam access either. All those changes are made in this file: /etc/ssh/sshd_config plus all of the other related external factors (e.g. Port 22 access only via specified IP Adressess etc). The specific line that you mentioned, within that file, we use it, as follows:
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
Domains are restricted via ****/smb/web/edit / Web Hosting Access for **** / Access to the server over SSH with a value of: /bin/bash (chrooted)
All that ^^ provides exactly what you expect and what should be expected: i.e Only the right, secure, access level (folder) with no access above that, only access below that (i.e. chrooted) for both SSH and SFTP (via FileZilla for MacOS on all devices, in our case) on each domain & with no 'Received unexpected end-of-file from SFTP server' errors at all. Unless you must use FTP / FTPS, this kind of setup might be an alternative option for you.
 
In my case a supplier had an application to share files over FTPS but doesn't support SFTP right now. I used another third party service for this previously, but they seem to have just discontinued support for FTPS. Not totally understanding your last paragraph but it doesn't really matter (like where is /smb/web/edit?)
 
In my case a supplier had an application to share files over FTPS but doesn't support SFTP right now. I used another third party service for this previously, but they seem to have just discontinued support for FTPS.
Do you mean, an appplication that you want to use on your own sever, only supports FTPS and not SFTP?
If so and you can't change the application, then that's pretty unffortunate.
Not totally understanding your last paragraph but it doesn't really matter (like where is /smb/web/edit?)
That's the Plesk Panel / GUI url but (with the Plesk hosting domain name removed) which is easier / shorter to post, than all of the equivalent CLI commands.
To get there, when using Plesk Obsidian 18.0.41 | Web Host Edition | Plesk Panel - Power User View:
Select a domain, select 'Hosting & DNS ', select 'Web Hosting Access ', scroll down to 'System user ', select the option under 'Access to the server over SSH '
 
No the application is on a different web server which I have no control over. It then sends files over FTP to many people. Then my application reads those same files over FTP (in my case SFTP). Of course there could be other ways to do things but that's just how the supplier works. They require us to give them credentials to an FTP account that they can connect to.

As for /smb/web/edit, thanks for clarifying. I was thinking it was a filesystem path or something.
 
No the application is on a different web server which I have no control over. It then sends files over FTP to many people. Then my application reads those same files over FTP (in my case SFTP). Of course there could be other ways to do things but that's just how the supplier works. They require us to give them credentials to an FTP account that they can connect to.
Has anybody responded to them with the obvious? e.g. "We only use SFTP / It's been available for use since approx January 2001 / Try a bit harder!" :)
You can still use chrooted FTP via Plesk, which appears to be the quickest solution to the problem for you. Others FTP users may post their answers for that.
 
hello

With the new account, I can now join through SFTP and be sent to the correct folder. I can, however, access directories outside of it, which was not the intention. Doesn't this kind of defeat the purpose of defining the user's "Home directory"? I assumed that the user's home directory would confine them to that location.
 
With the new account, I can now join through SFTP and be sent to the correct folder. I can, however, access directories outside of it, which was not the intention. Doesn't this kind of defeat the purpose of defining the user's "Home directory"? I assumed that the user's home directory would confine them to that location.
You're a new poster to this thread, so there's no previous info on what you've done so far and you have no informative forum signature of your setup etc.
IF you have setup the account (and maybe all of the other accounts...) correctly, then chrooted SFTP access works perfectly and we do use it (see above).
There's lots of guidance type online articles (if you're not 100% confident on the setup that you'll need), but, here's a very simple one - old, but still relevant.
 
Back
Top