Resolved What steps need to be taken to enable SSH root access through the SSH terminal extension?

[Bitpalast]

In the Plesk Facebook group I saw a post that a user cannot access SSH through the SSH terminal extension for root. We are expierencing the same on all servers although there are no entries in the Plesk configuration file(s) that SSH access for root shall be blocked.





What steps need to be taken to enable SSH root access through the SSH terminal extension?

 

[LTUser]

Add to plesk panel.ini
[ext-ssh-terminal]
rootAccessAllowed = true

 

[Bitpalast]

This does not work. It may be the general Plesk setting to enable access for Plesk, but the SSH terminal still gives a "Permission denied". There seems to be an additional setting somewhere, maybe in the SSH service configuration, to allow a local client to connect?

 

[LTUser]

This does not work. It may be the general Plesk setting to enable access for Plesk, but the SSH terminal still gives a "Permission denied". There seems to be an additional setting somewhere, maybe in the SSH service configuration, to allow a local client to connect?

Rootaccess for Admin is enabled by default.

How to disable root access via the SSH Terminal extension for the Plesk administrator?

Applicable to: Plesk for Linux Question The SSH Terminal extension is available in Plesk 18.0.37 and later. With this extension, the Plesk administrator can access the SSH console on behalf of t...

support.plesk.com

So restart Plesk after changes should do the trick
service sw-engine restart && service sw-cp-server restart

 

[Bitpalast]

I did start the services, but still the connection is denied.

 

[Bitpalast]

After more tests I found that the reason for the behavior is quite simple: By default we have disabled root login to SSH. This also applies to the Plesk SSH terminal service. In /etc/ssh/sshd_config:

PermitRootLogin no

Now, we do not want to enable general root login just because - as admin - we want to use the SSH terminal login to the root level from within Plesk. So in /etc/ssh/sshd_config we leave the "PermitRootLogin no" untouched, but add these lines to the end of the file to only allow root logins from localhost, but not from foreign ip addresses:

Match Address 127.0.0.1
PermitRootLogin yes

This creates an exception if the request comes from localhost. So we still have the extra security against external brute force attacks while we enjoy the comfort of the SSH terminal extension to login from the local machine.

Tested and works. However: The downside is that with this setting, each user (customer) on the system could try to brute-force against port 22 from localhost now to login with the "root" user name. So after all we have decided to remove the exception again and not to use the SSH termin functionality from within the Plesk admin GUI. There is no safe setting to allow the admin to login with root but to keep other local users from trying to brute-force against port 22 with a script on the local machine.

 

[Kaspar]

Thats interesting. Perhaps it be possible to have SSH run on two different ports and use something like:

Match Address 127.0.0.1 LocalPort 1234
PermitRootLogin yes

That would tighten security a bit more. Although it is only security by obscurity and any local user can easily do a port scan for the second SSH port.

Also, this is just an idea from the top of my head, I have not tested this so this might not even work.