• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

SSH Terminal and Security

D

dynaweb

Guest
I have always been with the theory that provising terminal access on a shared server is not secure. I see that nowadays Plesk offers the SSH Terminal through the control panel. I am curious if this is still the case.

I guess my question is, "On a shared web server, will providing clients with the Plesk SSH Terminal access pose any security threat; and if so, in what way?"
 
Secure shell access in it self does not pose a security threat to your shared hosting.

If you use it combined with JAILS (jailed access) a user will only have access to his home dir and nothing else - also only have access to the tools provided in his /bin /usr etc. dirs.

This way you can specify which programs, utils and tools a user have access to.

A no jailed access - will on the other hand allow the user to access all utilities and programs not secured by correct user-rights and may in this way gain access to other parts of your system - without your intention (or even you knowing).

So - jailed access - could be a good thing to offer your users - but be aware that it might be difficult to make all tools work as expected this way and may give you more support requests.

Non jailed access - should really only be given to very trusted users or even be restricted to administrator only.

Well... at least - IMNSHO. :)
 
Strict 'yes' and 'no' are really too limiting. Some shared servers no, some yes.
Dedicated managed servers mostly no.
Dedicated self-managed servers yes, if they need it.

As with most things in life, there are many grey areas, many variables to consider.
 
I understand about the jailed shell. If it is, for the most part, safe I may consider using it. The SSH Terminal that Plesk provides in the CP, is it always on the "jailed" mode or can it be switched on and off from somewhere (like WHM has)?

Originally posted by jamesyeeoc
..but be aware that it might be difficult to make all tools work as expected this way and may give you more support requests.
Yes, I totally agree with you there. It may be something to charge more for in order to make up for the inevitable support requests it will spawn.

Originally posted by jamesyeeoc
As with most things in life, there are many grey areas, many variables to consider.
Yes, I would like for this thread to be a place to discuss these variables for consideration.

Thanks
 
You can use the jailed version by selecting "/bin/bash (chrooted)" on the setup page of a domain.

I don't currently and won't ever offer SSH access on shared servers. There are ways to secure people within chrooted environments, and there's ways to break out of them. Depending on the exact setup it's possible to make them fairly secure (such as within Virtuozzo, but that's a lot more complex than we have here) but having local users introduces means you need to patch against all the local kernel exploits that become available in many cases as well as the remote exploits you already should. You also need to keep applications updated so that there's no security holes in them allowing a user to gain root privileges.
 
Back
Top