Resolved How to work with SSH Keys Manager

[Kulturmensch]

Server operating system version

Ubuntu 22.04.2 LTS

Plesk version and microupdate number

Plesk Obsidian v18.0.53_build1800230619.12 os_Ubuntu 22.04

I moved my Webspace to a new server and would like to get limited ssh-access just to my domain using the defined system user as established before. This worked fine with my old one for root and other users but currently I can only get access as root with a key-pair. For my domain I can get ssh-access only using a passord but I would like to limit the access to a key-pair generally, too.
As it did not work manually ( I do not understand why) I tried to use the extension SSH Keys Manager. Well I can open it but it, then it says go to a subscription. But I do not find this extension in the menues of my subscription/webspace? in the new server

Any idea how I can establisch a ssh-connection limited to my domain using a rsa-key-pair?

 

[Peter Debik]

Hi @Kulturmensch, I tried to reproduce this and was unable to find the desired dialog boxes, too. I have asked staff on this now.
In general SSH Keys Manager only allows pasting keys into a box and to store them. It does not help generating them.
Maybe this article can help you meanwhile to solve the initial asks: https://support.plesk.com/hc/en-us/articles/12377591587863-How-to-set-up-SSH-keys-for-Plesk-server-

 

[Kulturmensch]

Thank you Peter! This explains it. Yesterday I found it a little bit strange to find no menue for the key manager. Thank you for clarification.

However, to generate keys is not my problem. I use PUTTYgen und this works fine for "normal" users on my new server. But it does not work for the system user which was setup during the installation of Plesk Obsidian. This system user owns all directories and files of my domain: /var/www/vhosts/[MyDomain] and subdomains. I have managed to get ssh access for this user to my domain using username/password but I would like to establish a key-based connection and to get rid of the password-based connection (what already works for othe users).

I have produced a pair of keys and stored the public key in a file called authorized_keys in the directory /var/www/vhosts/[MyDomain]/.ssh When I try to connect with putty using the private key to my server IP via port 22 with the name of the systemuser I get the message key is not accepted. Any idea what is wrong in my setup?

 

[Kulturmensch]

By the way, yesterday I found this solution which did not work - obviously: How to provide access to domain in Plesk via SFTP using SSH keys instead of passwords? - Support Cases from Plesk Knowledge Base

 

[Peter Debik]

The article you found is just an SEO copy of the KB article https://support.plesk.com/hc/en-us/...via-SFTP-using-SSH-keys-instead-of-passwords-
Step (4.2) is the one that I could not do either.
I have now logged an internal case for investigation as case ID PPS-14669.

 

[learning_curve]

~ Yesterday I found it a little bit strange to find no menue for the key manager ~

We've never used key manager. It's an unnecessary addition (for us) and it's possible to achieve what you want (if we've understood it correctly) without using it.

~ This system user owns all directories and files of my domain: /var/www/vhosts/[MyDomain] and subdomains.

You've used the term 'system', so we're assuming that your Plesk login is 'root' (or more likely 'admin') and this is your 'system' user - is that right?

I have managed to get ssh access for this user to my domain using username/password but I would like to establish a key-based connection and to get rid of the password-based connection (what already works for othe users).

IF, you've got root (and/or admin) aka 'system' access via key-based authentication only, then presumably, you'll have previously, intentionally specified this choice within this file: /etc/ssh/ssh_config (as we did -from inception FWIW). So... IF that IS the case, then you should be able to generate a new key pair (but for your specific domain account i.e taking its account details from here: *.*:8443/smb/web/edit - for that specific domain) and once the public / private keys are located in the correct places on your server, you should then be able to login via key-based authentication only (i.e. not password) to that specific domain.

In addition to the above, you're wanting to create a key-based authentication only, separate, domain specific SFTP login, even though everything there is owned by 'system' which, also limits this specific login account, to the root of that specific domain and nothing above that. You can do this, by restricting that specific domain to: /bin/bash/(chrooted) access via CLI or, by using the Access to the server over SSH option, on that page url posted above, within the Plesk Panel.

When you've verified the above (key-based authentication only and domain root access only) and, assuming that you've already setup your SFTP Client to use chosen, default local and remote directories and you're pretty much good to go. We use this setup (just for 2 of domains that we host) and it works just fine.

I have produced a pair of keys and stored the public key in a file called authorized_keys in the directory /var/www/vhosts/[MyDomain]/.ssh

That's correct. Normally, that .ssh directory would be the correct owner and group (not root root) with File Permissions: 700 and all of its individual file content (*rsa / *rsa.pub / authorized_keys - in our case, not sure of yours) would again, all be the correct owner and group (not root root) & have file permissions: 600

When I try to connect with putty using the private key to my server IP via port 22 with the name of the systemuser I get the message key is not accepted. Any idea what is wrong in my setup?

Now with this ^ we can't help as we don't use putty, because all of our non-server devices are macOS / iOS so we use equivalents but not putty. However, many basic 'key not accepted' errors are linked to wrong group / owner / permissions etc so the previous paragraph might be of some assistance when de-bugging.

 

[Kulturmensch]

However, many basic 'key not accepted' errors are linked to wrong group / owner / permissions etc so the previous paragraph might be of some assistance when de-bugging.

Thank you very much indeed for your explanations! Your last hint let me check also the basics again and I found permissions 600 for .ssh . I changed it to 700, produced a further new key-pair (using putty) and ... now it works! (You saved my sunday jogging training)

 

[Strangelove]

@Kulturmensch The menu option should be there:


In case it is not, I'd recommend checking /var/log/plesk/panel.log for errors when refreshing the subscriptions' page.

 

[Kulturmensch]

Thank you for this information. I do not have the same dashboard as you have. This could be because I only have websites & Domains in the menue and not subscription. Maybe a matter of my license and/or the obsidian version I am using.

In panel.log I found only the two relevant entries as follows:

2023-07-09 00:00:02.259] 34043:64a9dc6236616 ERR [panel] Unable to get key: Repository is not opened

[2023-07-09 03:54:03.261] 39637:64aa133b3f1d6 ERR [panel] PHP Warning: Undefined property: Net_DNS2_RR_CNAME::$exchange; File: /opt/psa/admin/plib/modules/email-security/library/ConfigCheck.php, Line: 239

Both are already reported - one is an accepted bug the other a warning of minor importance (perhaps?).

 

[Strangelove]

@Kulturmensch Are you sure you've pressed the small "<" button on top right side of the panel's interface?

 

[Kulturmensch]

Oops - you are right, I didn`t know this switch and, as in your example the ssh-key switch is available here for me as well. By the way using this key-manager I see the fingerprint of one installed key. Is this the one I have installed manually? And further, I could add a key. Would this key be usable in addition to the existing one?

 

[Strangelove]

>> Is this the one I have installed manually?
Most probably. Normally, authorized_keys is empty.

>> And further, I could add a key. Would this key be usable in addition to the existing one?
yes, authorized_keys file's structure does support multiple keys with newline as delimeter

 

[Kulturmensch]

Great, thanks for your help!