Question posted in 
I opened a domain in Plesk and wanted to give the user access to SFTP in order to secure the transfers through FTP.
When i chose “Shell acess to server with user’s credentials /bin/bash” I got a message that it is extremely dangerous to enable this feature and I should only enable it if I trust the user.
I am trying to understand how enabling SFTP to a user can be dangerous.
Thanks in advance!
Joel
3
Answers
Well, I have no clue about plesk, but sftp uses ssh to tunnel the communication between client and server. Therefore, the user can access your server with ssh, and get a full fledged shell to do nasty stuff. If you don’t pay attention he can read other users homes, or read your server’s configs.
Unless you chrooted the user, and took further care about hdd, cpu, mem, … limits, you should not allow access to your server to a potentially untrustworthy user via ssh.
To my knowledge, there is no way to allow sftp/scp without complete ssh access.
Typically giving someone the shell /bin/bash (chrooted) in Plesk is the way to accomplish this. I don’t consider this to be a huge security concern, personally, but it depends on how well you have your server locked down in regards to permissions.
You can also look into setting proftpd up to use SSL rather than giving them SFTP access, as this does not require them to have a shell, and their shell can still be /bin/false.
If you only want to give the user scp/sftp-access, you can set the shell to scponly.
In Ubuntu scponly is provided by the scponly package, and is located at /usr/bin/scponly after install.