1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice

SSH Terminal and Security

Discussion in 'Plesk for Linux - 8.x and Older' started by dynaweb, Sep 27, 2005.

  1. dynaweb

    dynaweb Guest

    I have always been with the theory that provising terminal access on a shared server is not secure. I see that nowadays Plesk offers the SSH Terminal through the control panel. I am curious if this is still the case.

    I guess my question is, "On a shared web server, will providing clients with the Plesk SSH Terminal access pose any security threat; and if so, in what way?"
  2. Whistler

    Whistler Guest

    Secure shell access in it self does not pose a security threat to your shared hosting.

    If you use it combined with JAILS (jailed access) a user will only have access to his home dir and nothing else - also only have access to the tools provided in his /bin /usr etc. dirs.

    This way you can specify which programs, utils and tools a user have access to.

    A no jailed access - will on the other hand allow the user to access all utilities and programs not secured by correct user-rights and may in this way gain access to other parts of your system - without your intention (or even you knowing).

    So - jailed access - could be a good thing to offer your users - but be aware that it might be difficult to make all tools work as expected this way and may give you more support requests.

    Non jailed access - should really only be given to very trusted users or even be restricted to administrator only.

    Well... at least - IMNSHO. :)
  3. jamesyeeoc

    jamesyeeoc Guest

    Strict 'yes' and 'no' are really too limiting. Some shared servers no, some yes.
    Dedicated managed servers mostly no.
    Dedicated self-managed servers yes, if they need it.

    As with most things in life, there are many grey areas, many variables to consider.
  4. dynaweb

    dynaweb Guest

    I understand about the jailed shell. If it is, for the most part, safe I may consider using it. The SSH Terminal that Plesk provides in the CP, is it always on the "jailed" mode or can it be switched on and off from somewhere (like WHM has)?

    Yes, I totally agree with you there. It may be something to charge more for in order to make up for the inevitable support requests it will spawn.

    Yes, I would like for this thread to be a place to discuss these variables for consideration.

  5. Cranky

    Cranky Guest

    You can use the jailed version by selecting "/bin/bash (chrooted)" on the setup page of a domain.

    I don't currently and won't ever offer SSH access on shared servers. There are ways to secure people within chrooted environments, and there's ways to break out of them. Depending on the exact setup it's possible to make them fairly secure (such as within Virtuozzo, but that's a lot more complex than we have here) but having local users introduces means you need to patch against all the local kernel exploits that become available in many cases as well as the remote exploits you already should. You also need to keep applications updated so that there's no security holes in them allowing a user to gain root privileges.
  6. Cranky

    Cranky Guest

  7. Cranky

    Cranky Guest