• The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

SSH Terminal and Security

D

dynaweb

Guest
I have always been with the theory that provising terminal access on a shared server is not secure. I see that nowadays Plesk offers the SSH Terminal through the control panel. I am curious if this is still the case.

I guess my question is, "On a shared web server, will providing clients with the Plesk SSH Terminal access pose any security threat; and if so, in what way?"
 
Secure shell access in it self does not pose a security threat to your shared hosting.

If you use it combined with JAILS (jailed access) a user will only have access to his home dir and nothing else - also only have access to the tools provided in his /bin /usr etc. dirs.

This way you can specify which programs, utils and tools a user have access to.

A no jailed access - will on the other hand allow the user to access all utilities and programs not secured by correct user-rights and may in this way gain access to other parts of your system - without your intention (or even you knowing).

So - jailed access - could be a good thing to offer your users - but be aware that it might be difficult to make all tools work as expected this way and may give you more support requests.

Non jailed access - should really only be given to very trusted users or even be restricted to administrator only.

Well... at least - IMNSHO. :)
 
Strict 'yes' and 'no' are really too limiting. Some shared servers no, some yes.
Dedicated managed servers mostly no.
Dedicated self-managed servers yes, if they need it.

As with most things in life, there are many grey areas, many variables to consider.
 
I understand about the jailed shell. If it is, for the most part, safe I may consider using it. The SSH Terminal that Plesk provides in the CP, is it always on the "jailed" mode or can it be switched on and off from somewhere (like WHM has)?

Originally posted by jamesyeeoc
..but be aware that it might be difficult to make all tools work as expected this way and may give you more support requests.
Click to expand...
Yes, I totally agree with you there. It may be something to charge more for in order to make up for the inevitable support requests it will spawn.

Originally posted by jamesyeeoc
As with most things in life, there are many grey areas, many variables to consider.
Click to expand...
Yes, I would like for this thread to be a place to discuss these variables for consideration.

Thanks
 
You can use the jailed version by selecting "/bin/bash (chrooted)" on the setup page of a domain.

I don't currently and won't ever offer SSH access on shared servers. There are ways to secure people within chrooted environments, and there's ways to break out of them. Depending on the exact setup it's possible to make them fairly secure (such as within Virtuozzo, but that's a lot more complex than we have here) but having local users introduces means you need to patch against all the local kernel exploits that become available in many cases as well as the remote exploits you already should. You also need to keep applications updated so that there's no security holes in them allowing a user to gain root privileges.
 
You must log in or register to reply here.

Similar threads

S
Question Will disabling Ubuntu SSH root login affect Plesk FTP/SSH Terminal?
Replies
1
Views
323
Kaspar@Plesk
Kaspar@Plesk
A
Question login url
Replies
1
Views
2K
webserverforum
W
A
Resolved SSH terminal extension does not work
Replies
2
Views
1K
abanico
A
Lrnt
Question Proxy/Secured HTTP & WS requests to avoid CORS
Replies
1
Views
215
Lrnt
Lrnt
afuego
Question Best linux for Plesk?
Replies
2
Views
1K
afuego
afuego
Back
Top