• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved How to work with SSH Keys Manager

Kulturmensch

Regular Pleskian
Server operating system version
Ubuntu 22.04.2 LTS
Plesk version and microupdate number
Plesk Obsidian v18.0.53_build1800230619.12 os_Ubuntu 22.04
I moved my Webspace to a new server and would like to get limited ssh-access just to my domain using the defined system user as established before. This worked fine with my old one for root and other users but currently I can only get access as root with a key-pair. For my domain I can get ssh-access only using a passord but I would like to limit the access to a key-pair generally, too.
As it did not work manually ( I do not understand why) I tried to use the extension SSH Keys Manager. Well I can open it but it, then it says go to a subscription. But I do not find this extension in the menues of my subscription/webspace? in the new server

Any idea how I can establisch a ssh-connection limited to my domain using a rsa-key-pair?
 
Thank you Peter! This explains it. Yesterday I found it a little bit strange to find no menue for the key manager. Thank you for clarification.

However, to generate keys is not my problem. I use PUTTYgen und this works fine for "normal" users on my new server. But it does not work for the system user which was setup during the installation of Plesk Obsidian. This system user owns all directories and files of my domain: /var/www/vhosts/[MyDomain] and subdomains. I have managed to get ssh access for this user to my domain using username/password but I would like to establish a key-based connection and to get rid of the password-based connection (what already works for othe users).

I have produced a pair of keys and stored the public key in a file called authorized_keys in the directory /var/www/vhosts/[MyDomain]/.ssh When I try to connect with putty using the private key to my server IP via port 22 with the name of the systemuser I get the message key is not accepted. Any idea what is wrong in my setup?
 
~ Yesterday I found it a little bit strange to find no menue for the key manager ~
We've never used key manager. It's an unnecessary addition (for us) and it's possible to achieve what you want (if we've understood it correctly) without using it.
~ This system user owns all directories and files of my domain: /var/www/vhosts/[MyDomain] and subdomains.
You've used the term 'system', so we're assuming that your Plesk login is 'root' (or more likely 'admin') and this is your 'system' user - is that right?
I have managed to get ssh access for this user to my domain using username/password but I would like to establish a key-based connection and to get rid of the password-based connection (what already works for othe users).
IF, you've got root (and/or admin) aka 'system' access via key-based authentication only, then presumably, you'll have previously, intentionally specified this choice within this file: /etc/ssh/ssh_config (as we did -from inception FWIW). So... IF that IS the case, then you should be able to generate a new key pair (but for your specific domain account i.e taking its account details from here: *.*:8443/smb/web/edit - for that specific domain) and once the public / private keys are located in the correct places on your server, you should then be able to login via key-based authentication only (i.e. not password) to that specific domain.

In addition to the above, you're wanting to create a key-based authentication only, separate, domain specific SFTP login, even though everything there is owned by 'system' which, also limits this specific login account, to the root of that specific domain and nothing above that. You can do this, by restricting that specific domain to: /bin/bash/(chrooted) access via CLI or, by using the Access to the server over SSH option, on that page url posted above, within the Plesk Panel.

When you've verified the above (key-based authentication only and domain root access only) and, assuming that you've already setup your SFTP Client to use chosen, default local and remote directories and you're pretty much good to go. We use this setup (just for 2 of domains that we host) and it works just fine.
I have produced a pair of keys and stored the public key in a file called authorized_keys in the directory /var/www/vhosts/[MyDomain]/.ssh
That's correct. Normally, that .ssh directory would be the correct owner and group (not root root) with File Permissions: 700 and all of its individual file content (*rsa / *rsa.pub / authorized_keys - in our case, not sure of yours) would again, all be the correct owner and group (not root root) & have file permissions: 600
When I try to connect with putty using the private key to my server IP via port 22 with the name of the systemuser I get the message key is not accepted. Any idea what is wrong in my setup?
Now with this ^ we can't help as we don't use putty, because all of our non-server devices are macOS / iOS so we use equivalents but not putty. However, many basic 'key not accepted' errors are linked to wrong group / owner / permissions etc so the previous paragraph might be of some assistance when de-bugging.
 
However, many basic 'key not accepted' errors are linked to wrong group / owner / permissions etc so the previous paragraph might be of some assistance when de-bugging.
Thank you very much indeed for your explanations! Your last hint let me check also the basics again and I found permissions 600 for .ssh . I changed it to 700, produced a further new key-pair (using putty) and ... now it works! (You saved my sunday jogging training:))
 
Thank you for this information. I do not have the same dashboard as you have. This could be because I only have websites & Domains in the menue and not subscription. Maybe a matter of my license and/or the obsidian version I am using.

In panel.log I found only the two relevant entries as follows:

2023-07-09 00:00:02.259] 34043:64a9dc6236616 ERR [panel] Unable to get key: Repository is not opened

[2023-07-09 03:54:03.261] 39637:64aa133b3f1d6 ERR [panel] PHP Warning: Undefined property: Net_DNS2_RR_CNAME::$exchange; File: /opt/psa/admin/plib/modules/email-security/library/ConfigCheck.php, Line: 239

Both are already reported - one is an accepted bug the other a warning of minor importance (perhaps?).
 
Oops - you are right, I didn`t know this switch and, as in your example the ssh-key switch is available here for me as well. By the way using this key-manager I see the fingerprint of one installed key. Is this the one I have installed manually? And further, I could add a key. Would this key be usable in addition to the existing one?
 
>> Is this the one I have installed manually?
Most probably. Normally, authorized_keys is empty.

>> And further, I could add a key. Would this key be usable in addition to the existing one?
yes, authorized_keys file's structure does support multiple keys with newline as delimeter
 
Back
Top