Skip to content

Setting Up Secure SSH Access for Plesk Vhosts (macOS/Linux)

This guide explains how to set up key-based SSH access for specific Plesk system users. This method is more secure than using passwords and allows you to manage multiple websites (vhosts) easily.

1. Generate a New SSH Key Pair

On your local machine (Mac/Linux), generate a unique key pair for the server. Using a unique filename (rather than the default id_rsa) allows you to manage different servers/users separately.

  1. Open your Terminal.

  2. Run the following command: 

    ssh-keygen -t ed25519 -f ~/.ssh/plesk -C "your_email@example.com"

  3. -t ed25519: Uses the most modern and secure encryption.

  4. -f ~/.ssh/plesk: Saves the keys as plesk (private) and plesk.pub (public) in your .ssh folder.
  5. -C: An optional comment to identify the key.

The Purpose of a Passphrase

During generation, you will be asked for a passphrase.

  • What it is: An extra layer of encryption for your private key file.
  • Why use it: If someone steals your computer or gets access to your files, they cannot use your key without the passphrase. It turns "something you have" into "something you have AND something you know."

2. Configure your Local SSH Config

To avoid typing long usernames and IP addresses every time, you can create a shortcut in your SSH config file.

  1. Open (or create) the config file: nano ~/.ssh/config
  2. Add an entry using this template:
Host plesk
  HostName 87.106.13.58
  User plesk_system_username
  PreferredAuthentications publickey
  IdentityFile ~/.ssh/plesk
  Port 22
  1. Save and exit (Ctrl+O, Enter, Ctrl+X).
  2. Now you can connect simply by typing ssh plesk.

To make the guide reproducible for any domain on your server, you need a quick way to find the correct usernames. Add this block to your guide, ideally under Step 3: Prepare the Server.

Optional: Identify All System Users via CLI

If you have many subdomains and don't want to check the Plesk GUI for each one, you can query the Plesk database directly from the terminal as root.

Run this command to see a mapping of every subdomain to its corresponding SSH/System User:

plesk db "SELECT domains.name AS domain, sys_users.login AS ssh_user FROM domains JOIN hosting ON domains.id = hosting.dom_id JOIN sys_users ON hosting.sys_user_id = sys_users.id"

3. Prepare the Server (Vhost)

You must place the Public Key (plesk.pub) on the server so it recognizes your Mac/Linux.

A. Identify the Target

Log in as root and identify the System User and the Home Directory of the vhost:

# Replace 'plesk_system_username' with the Plesk system user
getent passwd plesk_system_username | cut -d: -f6

*Output will look like: /var/www/vhosts/subdomain*

B. Enable SSH Access in Plesk

  1. Log into the Plesk GUI.
  2. Go to Websites & Domains > Web Hosting Access.
  3. Change Access to the server over SSH from "Forbidden" to /bin/bash.

4. Install the Public Key on the Server

As root, you must create the .ssh directory in the vhost's home directory and set the correct permissions.

  1. Create the directory: 

    mkdir -p /var/www/vhosts/subdomain/.ssh

  2. Paste your public key: Open the authorized keys file: 

    nano /var/www/vhosts/subdomain/.ssh/authorized_keys

Copy the contents of your local ~/.ssh/plesk.pub (.pub !) and paste it here as a single line.\ Save and exit (Ctrl+O, Enter, Ctrl+X).

  1. Set Ownership and Permissions (CRITICAL): SSH will reject connections if these files are owned by root or if permissions are too loose. 
    # Set the correct user and group (usually psacln in Plesk)
chown -R plesk_system_username:psacln /var/www/vhosts/subdomain/.ssh

# Set strict permissions
chmod 700 /var/www/vhosts/subdomain/.ssh
chmod 600 /var/www/vhosts/subdomain/.ssh/authorized_keys

5. Verify the Connection

From your Mac/Linux Terminal, simply run:

ssh plesk

Why this works:

  1. Your Mac/Linux looks at ~/.ssh/config and sees that the "plesk" shortcut uses the ~/.ssh/plesk private key.
  2. It sends a request to the server IP as the specific system user.
  3. The server looks inside the vhost's /var/www/vhosts/subdomain/.ssh/authorized_keys file.
  4. If the keys match and the permissions are correct (700/600), access is granted.

6. Troubleshooting "Permission Denied"

If you still see Permission denied (publickey) after following the steps above, use these tools as root on the server to find the "smoking gun."

A. Verify Path and Ownership

SSH is extremely strict. If the path to your keys is owned by root, the system user will be blocked from reading them for security reasons.

# 1. Verify the exact home directory for the user
getent passwd plesk_system_username | cut -d: -f6

# 2. Re-apply permissions to ensure the user owns their keys
TARGET_USER="plesk_system_username"
TARGET_DIR="/var/www/vhosts/subdomain"

chown -R $TARGET_USER:psacln $TARGET_DIR/.ssh
chmod 700 $TARGET_DIR/.ssh
chmod 600 $TARGET_DIR/.ssh/authorized_keys

B. Check for Locked Accounts

If a user account is locked or expired, SSH keys will be ignored. Check the account status:

passwd -S plesk_system_username
  • P: Password/Account is active (Good).
  • L: Account is Locked. Unlock it with usermod -U plesk_system_username.

C. Watch the Live Authentication Log

The most effective way to debug is to watch the server's auth log in real-time. Open a terminal as root and run:

tail -f /var/log/auth.log

Now, attempt to connect from your Mac (ssh plesk). Look for these common errors in the log:

  • "Authentication refused: bad ownership or modes": The server is rejecting the folder permissions. Re-run the chmod commands in Step 4.
  • "Connection closed by authenticating user... [preauth]": This usually means the key was offered but didn't match anything in authorized_keys. Double-check that you pasted the .pub content correctly as a single line.

D. Mac-Side Verbose Debugging

If the server logs are silent, run the connection on your Mac/Linux with the -v flag to see which identity file is being offered:

ssh -v plesk

Look for the line: Offering public key: /Users/yourname/.ssh/plesk. If it is offering a different file, your ~/.ssh/config is likely pointing to the wrong path.

Workflow for new Vhosts

To reproduce this for any other domain on the same server:

  1. Find the new System User name in Plesk.
  2. Add a new block to your ~/.ssh/config on your Mac/Linux with a new Host nickname.
  3. Repeat Step 4 on the server, ensuring you use the correct directory and username for the chown command.