What's new
By:
Panelica Community Forum

Welcome to the official Panelica Community Forum — the central hub for server administrators, developers, and hosting professionals. Register a free account today to access technical discussions, product announcements, feature requests, and direct support from the Panelica team. Be part of the growing community shaping the future of server management.

SSH/SFTP User Management — Complete Step-by-Step Guide

admin

admin

Administrator
Staff member

SSH/SFTP User Management — Complete Step-by-Step Guide​


This guide explains how SSH and SFTP access works in Panelica, step by step, from start to finish.

What is SSH? A secure terminal to run commands on your server remotely.
What is SFTP? A secure file transfer protocol — upload/download files using clients like FileZilla or WinSCP.


Overview: How SSH/SFTP Access Works​


SSH/SFTP access in Panelica follows this flow:

  1. Create a Plan with SSH access enabled → domainorip:8443/plans/create
  2. Create a User and assign that plan → domainorip:8443/users/create
  3. Manage SSH features (keys, users, config) → domainorip:8443/tools/ssh

The username and password you set when creating a user IS the SSH/SFTP login — no separate account needed.

Sidebar Navigation:
  • Service Plans → Create Plan (Step 1)
  • Users → Create User (Step 2)
  • Remote Access → SSH Access (Step 3)


Step 1: Create a Plan with SSH Access​


Page: https://domainorip:8443/plans/create
Sidebar: Service Plans → Create Plan

When creating a plan, scroll to the "Access Permissions" section. Here you'll find the SSH Access Level dropdown:

SSH Access Level Options​


  • No SSH (SFTP Only) — Default. The user gets no SSH and no SFTP access at all. Safest option for basic hosting accounts.
  • Jailed SSH (Chroot) — The user gets SFTP-only access, locked inside their home directory. They can upload and download files but cannot run terminal commands. Ideal for content managers and designers.
  • Full SSH (Unrestricted) — The user gets both SSH terminal and SFTP access. They can run commands (ls, cp, nano, git, php, etc.) plus transfer files. Still isolated via chroot — they cannot see other users or system files. For developers and advanced users.

After selecting the SSH level, a colored badge appears:
  • Green = No Access (safest)
  • Blue = Jailed Access
  • Orange = Full Access (shows warning)

Other access settings in the same section: FTP Access, MySQL Access, Cron Jobs, SSL/TLS, Backup, Git & Deploy — each can be toggled on/off per plan.

Important: If you are a RESELLER, the SSH options available to you depend on your own plan. You cannot give Full SSH if your plan only allows Jailed.

Save the plan. Now you can assign it to users.


Step 2: Create a User and Assign the Plan​


Page: https://domainorip:8443/users/create
Sidebar: Users → Create User

  1. Fill in Username — this will also be the SSH/SFTP login username
  2. Fill in Password — this will also be the SSH/SFTP login password
  3. Fill in Email
  4. Select the Plan you created in Step 1

When you select a plan, a Plan Information Card appears showing the plan's features. Look for:

Code: 
 SSH Access (full)
or
Code: 
 SSH Access (jailed)
or
Code: 
 SSH Access (none)

  • Green checkmark = SSH/SFTP enabled with the level shown in parentheses
  • Red X = No SSH/SFTP access

Click Create User. That's it — the user can now connect via SSH or SFTP using the username and password you just set.

Example: Connecting After User Creation​


If you created a user called john with password MyStr0ng!Pass, and your server IP is 203.0.113.50 with SSH port 22:

SSH (terminal):
Code: 
ssh [email protected]

SFTP (file transfer):
Code: 
sftp [email protected]

FileZilla:
  1. Protocol: SFTP
  2. Host: 203.0.113.50
  3. Port: 22
  4. Username: john
  5. Password: MyStr0ng!Pass
  6. Click Connect


Step 3: SSH Management Dashboard​


Page: https://domainorip:8443/tools/ssh
Sidebar: Remote Access → SSH Access

This is the main SSH management page. At the top, you'll see:

Connection Details Card:
  • Server IP — Your server's IP address (with copy button)
  • Port — SSH port number
  • Username — Your SSH username (with copy button)
  • Access Level — Badge showing "Full Access", "Jailed Shell", or "No Access"
  • Shell — Badge showing shell type (Full Shell / Restricted / Disabled)
  • Home Directory — Your home folder path (with copy button)
  • Quick Connect Command — Ready-to-copy SSH command: ssh username@server_ip -p port

4 Stats Cards:
  • SSH Status (Enabled/Disabled)
  • SSH Keys count
  • Active Sessions count
  • Login History count

Below the stats, there are 5 tabs. Each tab is explained in detail below.


Tab 1: SSH/SFTP Users​


Page: https://domainorip:8443/tools/ssh#users

This tab lets you create additional SSH/SFTP accounts beyond the main panel user. Useful for giving developers, designers, or partners separate access to specific directories.

Users Table​


Each row shows:
  • Username — SSH login name + description (if set)
  • Home Directory — The root folder this user can access
  • Access Level — Green "full" or Yellow "jailed" badge
  • Quota — Disk space limit in MB (or "Unlimited")
  • Status — Green "active" or Red "suspended"
  • Owner — Which panel user this account belongs to
  • Actions — 4 buttons: Edit, Password, Suspend, Delete

Creating an Additional SSH/SFTP User​


Click "Add SSH/SFTP User" button. The form has these fields:

Username (required)
  • Must start with a lowercase letter
  • Only lowercase letters, numbers, hyphens (-), underscores (_)
  • 3-32 characters long
  • Examples: webdev, deploy_user, site-admin
  • Not allowed: John (uppercase), ab (too short), user@site (special chars)
  • Cannot be changed after creation

Password (required)
  • Minimum 8 characters
  • Can be changed later via "Change Password" button

Home Directory (required)
  • The folder the user sees when they connect — they cannot go above this folder
  • Auto-populated if you select a domain
  • ROOT users can enter any valid path
  • Non-ROOT users: must be within your home folder
  • Cannot be changed after creation

Access Level
  • Jailed (SFTP Only) — Default. File transfer only. Maximum security.
  • Full (SSH + Shell) — Terminal access + file transfer. Still chroot-isolated.
  • Can be changed later via Edit

Disk Quota (MB)
  • Maximum disk space for this user. Set to 0 for unlimited.
  • Example: 1000 = 1 GB

Owner User (visible to ROOT/ADMIN/RESELLER only)
  • Link this SSH account to an existing panel user
  • When selected, the domain dropdown filters to show only that user's domains

Associated Domain
  • Link to a specific domain — auto-fills the home directory
  • Example: Select example.com → Home becomes /home/example_com/public_html

Description
  • Optional note about this account's purpose
  • Example: "Frontend developer - David's account"

Allowed Directories
  • Extra folders the user can access (one path per line)
  • These are bind-mounted into the user's chroot jail
  • Example:
    Code: 
    /home/example_com/logs
/home/shared_assets
  • Optional — leave empty if user only needs their home directory

Action Buttons on Each User​


Edit — Change access level, quota, description, or allowed directories.

Change Password — Set a new password (minimum 8 characters).

Suspend — Immediately blocks ALL access: SSH, SFTP, and even public key authentication. The user's files remain intact. Click again to Unsuspend and restore access.

Delete — Permanently removes the SSH account. Website files in the home directory are preserved.


Tab 2: SSH Keys​


Page: https://domainorip:8443/tools/ssh#keys

SSH Keys let you log in without a password — more secure and convenient.

Keys Table​


Each row shows:
  • Name — Your label for this key (e.g., "My Laptop")
  • Type — Key type badge (ED25519, RSA, etc.)
  • Fingerprint — Unique identifier (with copy button)
  • Added — When the key was added
  • Last Used — When it was last used to log in (or "Never")
  • Actions — Delete button

Adding an SSH Key​


  1. Click "Add SSH Key"
  2. Enter a Key Name (e.g., "My Laptop", "Office PC", "CI/CD Server")
  3. Paste your Public Key into the textarea
  4. Click "Add Key"

How to generate your key and get the public key:

Linux / macOS:
Code: 
# Generate key (one time only):
ssh-keygen -t ed25519 -C "[email protected]"

# Copy your public key:
cat ~/.ssh/id_ed25519.pub

Windows PowerShell:
Code: 
ssh-keygen -t ed25519 -C "[email protected]"
Get-Content ~/.ssh/id_ed25519.pub

Your public key looks like:
Code: 
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBx... [email protected]

Never share your private key (the file without .pub extension). Only share the .pub file.


Tab 3: Login History​


Page: https://domainorip:8443/tools/ssh#history

Track all SSH and SFTP connections.

Table columns:
  • Status — Active (currently connected) or Ended
  • Username — Who connected
  • IP Address — Client's IP (where they connected from)
  • Terminal — Terminal type (e.g., xterm-256color) or "-"
  • Login Time — Session start time
  • Logout Time — Session end time (or "-" if still active)

Use this to:
  • Check if unauthorized IPs connected to your server
  • Verify developers are connected when expected
  • Audit access for security compliance
  • Detect brute-force attempts (many failed logins from same IP)


Tab 4: Quick Guide​


Page: https://domainorip:8443/tools/ssh#guide

An interactive 4-step tutorial with copyable commands, auto-filled with your actual server details:

Step 1 — Generate Key:
Code: 
ssh-keygen -t ed25519 -C "[email protected]"

Step 2 — Copy Public Key:
Code: 
cat ~/.ssh/id_ed25519.pub

Step 3 — Connect: Shows your actual server command:
Code: 
ssh your_username@your_server_ip -p your_port

Step 4 — SSH Config (optional): A ready-to-use config for ~/.ssh/config:
Code: 
Host myserver
 HostName your_server_ip
 User your_username
 Port your_port
 IdentityFile ~/.ssh/id_ed25519

After adding this config, you can connect with just:
Code: 
ssh myserver

If your account is Jailed, a notice explains the restrictions (cannot access files outside home, limited commands).


Tab 5: SSHD Config (ROOT Only)​


Page: https://domainorip:8443/tools/ssh#config

This tab is only visible to ROOT administrators. It controls the SSH daemon settings for the entire server.

Authentication Settings (Left Card)​


  • Permit Root Login — Allow root SSH access. Options: yes / no / prohibit-password / forced-commands-only
  • Password Authentication — Enable password-based login (yes/no). If "no", only SSH keys work.
  • Public Key Authentication — Enable key-based login (yes/no). Should almost always be "yes".
  • Permit Empty Passwords — Allow empty passwords (no = recommended).

Connection Settings (Right Card)​


  • SSH Port — Port SSH listens on (default: 22). Non-standard port adds security.
  • Max Auth Tries — Failed attempts before disconnect (default: 6).
  • X11 Forwarding — Allow graphical apps over SSH (yes/no).
  • TCP Forwarding — Allow port tunneling (yes/no).
  • Use DNS — Reverse DNS lookups (no = faster connections).

Action Buttons​


  • Test Config — Validates configuration syntax without applying. Always test first!
  • Save Config — Saves and creates automatic backup. Shows warnings for dangerous settings.
  • Restart SSH — Restarts SSH daemon to apply changes.

Backups​


Every save creates an automatic backup. The backup table shows all previous configs with a Restore button to revert if needed.

Lockout Warning: Disabling password auth before adding SSH keys, or changing the port without updating your firewall, can lock you out!


Security: 5 Layers of Protection​


Every SSH/SFTP user in Panelica is protected by:

  1. Chroot Isolation — Users are locked in their home directory. They cannot see the root filesystem, other users' files, or system files.
  2. Cgroup Resource Limits — CPU, RAM, disk I/O, and process count limits via Linux cgroups v2. One user cannot consume all server resources.
  3. Restricted Shell — Full SSH users get restricted bash with a limited set of allowed commands (ls, cp, mv, cat, nano, git, php, node, composer, npm, wp, etc.). System commands (sudo, apt, systemctl) are blocked.
  4. Namespace Isolation — Advanced: separate process and mount namespaces per user, similar to Docker container isolation.
  5. Account Expiry on Suspend — Suspended accounts are expired at the Linux PAM level, blocking ALL authentication methods — passwords AND SSH keys.


Troubleshooting​


"Connection refused"
→ Check your SSH port (may be non-standard — see SSHD Config tab). Check firewall rules.

"Permission denied" on login
→ Verify username (lowercase, exact match). Check password. Check user is not suspended. Check plan has SSH enabled.

Cannot upload files via SFTP
→ Check directory permissions. Check disk quota. Verify home directory path is correct.

"Command not found" in SSH terminal
→ Normal for restricted shell. Only basic commands are available. Contact your admin for specific tool needs.

Can only see limited folders
→ By design (chroot isolation). Ask admin to add Allowed Directories to your SSH user account.


Last updated: March 2026 | Panelica Server Management Panel
 
Last edited:
You must log in or register to reply here.
Back
Top