SSH access for user

jasonwch · November 4, 2025, 11:00am

May I know the logic for granting SSH access for user in HestiaCP?

My global setting set to PasswordAuthentication = Off

If I allow BASH SSH access for a user, that user will be removed from MATCH USER at sshd_config, so I cannot use SFTP/SSH for that user. However, the user is allowed to use web terminal.

I think this is intended, but I would like to know the logic behind this

Thanks

jasonwch · November 5, 2025, 11:53pm

May I have some advice on this?

Thanks

sahsanu · November 6, 2025, 12:38am

I’ve no problem to use ssh/sftp for a user with bash assigned as shell.

In Hestia server, user test with nologin shell:

❯ v-list-user test json | jq -r '.[]|.SHELL'
nologin

❯ grep -Ev '^$|^#' /etc/ssh/sshd_config
Include /etc/ssh/sshd_config.d/*.conf
Port 22
LoginGraceTime 1m
PermitRootLogin prohibit-password
KbdInteractiveAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
DebianBanner no
AcceptEnv LANG LC_*
Subsystem sftp internal-sftp


Match User sftp_dummy99,admin,test
    ChrootDirectory /srv/jail/%u
    X11Forwarding no
    AllowTCPForwarding no
    ForceCommand internal-sftp -d /home/%u

From remote machine:

❯ ssh -i ~/.ssh/privkey_ed25519 [email protected]
This service allows sftp connections only.
Connection to example.net closed.

❯ sftp -i ~/.ssh/privkey_ed25519 [email protected]
Connected to example.net.
sftp> ls
conf  mail  tmp   web
sftp> quit

In Hestia server, user test with bash shell:

❯ v-change-user-shell test bash

❯ v-list-user test json | jq -r '.[]|.SHELL'
bash

❯ grep -Ev '^$|^#' /etc/ssh/sshd_config
Include /etc/ssh/sshd_config.d/*.conf
Port 22
LoginGraceTime 1m
PermitRootLogin prohibit-password
KbdInteractiveAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
DebianBanner no
AcceptEnv LANG LC_*
Subsystem sftp internal-sftp


Match User sftp_dummy99,admin
    ChrootDirectory /srv/jail/%u
    X11Forwarding no
    AllowTCPForwarding no
    ForceCommand internal-sftp -d /home/%u

From remote machine:

❯ ssh -i ~/.ssh/privkey_ed25519 [email protected]
Linux hestia.example.net 6.12.48+deb13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.12.48-1 (2025-09-20) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Nov  6 01:27:44 2025 from 203.0.113.13
test@hestia:~$

❯ sftp -i ~/.ssh/privkey_ed25519 [email protected]
Connected to example.net.
sftp> ls
conf  mail  tmp   web
sftp> quit

So:
If the user has nologin as shell, it can only use sftp.
If the user has bash as shell, it can use sftp and ssh.

If you have some issues when the user has bash shell, check that Subsystem is like this:

❯ grep Subsystem /etc/ssh/sshd_config
Subsystem sftp internal-sftp

And not like this:

❯ grep Subsystem /etc/ssh/sshd_config
Subsystem sftp internal-sftp-server

jasonwch · November 6, 2025, 1:11am

Yep,

but the issue is my users are using password to authenticate

sahsanu · November 6, 2025, 1:41am

The authentication method doesn’t matter.

jasonwch · November 6, 2025, 1:57am

I think it does, coz the global setting is PasswordAuthentication is OFF (while I’ve put in PasswordAuthentication to ON in MATCH USER).

Then once I’ve turn on BASH access for user, it’s removed under MATCH USER which will make this user fall into PasswordAuthentication is OFF

sahsanu · November 6, 2025, 2:32am

That’s new, you didn’t mention that you added PasswordAuthentication under the Match User block. So of course, if the user is removed, there’s no way to log in using a password.

You can turn on the PasswordAuthentication globally or create an additional conf file adding the users that will use a password to login:

❯ cat /etc/ssh/sshd_config.d/pass.conf
Match User user1,user2,userX
PasswordAuthentication yes