How to disable root access via the SSH Terminal extension for Plesk Administrator?

Plesk 18.0.38 includes the SSH Terminal extension in the control panel interface. Using this option all admins can launch the SSH console as root, which can be a serious security threat. In this article, you will learn how to disable this feature.

In the following scenarios, Plesk runs utilities or scripts on behalf of the root user by default:

1. When a Plesk administrator creates a scheduled task and chooses to run it as root, the task will be run as root.

2. When a Plesk administrator establishes an event handler and chooses to run the associated command as root, the event handler is enabled.

3. When the SSH Terminal extension is used by the Plesk administrator and/or subscription owners.

Let us see the three methods for removing root access:

Method 1:

In the $PRODUCT_ROOT_D/var/ directory, files are being created. It is the most reliable method for disabling root access throughout the system, including scheduled tasks, event handlers, and SSH Terminal.

1. Use SSH to connect to the server as root.

2. Make a new file called root.crontab.lock in the $PRODUCT_ROOT_D/var/ directory.  Users will be unable to run cron tasks or view scheduled tasks that must be run as root as a consequence of this.

3. In the $PRODUCT_ROOT_D/var/ directory, create an empty file named root.event handler.lock. Users will be unable to create event handlers that execute as root as a result of this.

4. SSH Terminal will not reveal root access once you’ve completed the two previous stages.

NOTE: On RPM-based systems, $PRODUCT_ROOT_D is /usr/local/psa, while on Debian-based systems, it is /opt/psa.

Method 2:

Only the Plesk administrator gets root access in SSH Terminal, which can be disabled via panel.ini. In scheduled tasks and event handlers, this does not disable root access.

1. Log in to Plesk.

2. Go to Extensions.

3. Select My Extensions.

4. Click on Panel.ini Editor and open it.

5. Select the Editor option.

6. Add the text below at the end of the file:
[login]
systemAdmin = false

7. Finally press the Save button.

8. Using the following panel.ini menu, restrict root access.

[ext-ssh-terminal]

rootAccessAllowed = false

9. Using the following panel.ini menu, add the ‘SSH Terminal’ extension to the blacklist will not be possible to install it on a server.

[extensions]

blacklist = ext-panel-editor

Method 3:

Both the Plesk administrator and subscription owners can disable the SSH Terminal extension using panel.ini. In scheduled tasks and event handlers, this does not disable root access.

Using the following panel.ini option, add the ‘SSH Terminal’ extension to the blacklist will not be possible to install on a server.

[extensions]

blacklist = ext-ssh-terminal, ext-panel-editor

You can restrict root or Administrator users from accessing Plesk in this technique. Contact our eukhost support team at any time for guidance. Also, don’t forget to look into our Web hosting services.