• Howdy! Welcome to our community of more than 130.000 members devoted to web hosting. This is a great place to get special offers from web hosts and post your own requests or ads. To start posting sign up here. Cheers! /Peo, FreeWebSpace.net
managed wordpress hosting

To SSH Or Not To SSH?

A

azoundria

New Member
Hi guys,

I'm considering offering Jailed SSH to a limited number of clients of our free hosting, mostly because I've learned that Ruby on Rails wont work without it.

I would like to know what the absolute maximum damage a Jailed SSH account can do to a server is. So I would appreciate if you guys could tell me everything you know about what someone could do with this type of access.

Thanks for your help.
 
You're fairly safe as far as what they can access goes. It's considered generally safe for paid hosting, so if you are screening your users there shouldn't be a problem.
 
So long as you heavily lock down your permissions, heavily screen your users you should be ok. However if it were me, i would require some type of ID to be faxed in.
 
Okay,

Say we're letting a highly intelligent tech-savvy religious extremist onto a server they know is inhabited by people who vehemently oppose their religion...

What kinds of things are they going to be able to do to compromise the security of said server, with Jailed SSH access?

I am looking for specific risks I should be aware of in the worst case scenario.

(No, I'm not letting a highly intelligent tech-savvy religious extremist onto the server, but I would like to maintain a system secure enough that I could.)
 
Well to be a bit more specific, once you chroot jail an SSH session, you're dealing with a command line that basically cannot do anything yet. Because of this, you will have to copy the apps you want them to have access to over to their directory. This is a blessing and a curse, it means you have to anticipate every possible application they would need to run, but also do not have to worry about blocking everything you think they could abuse because if you do not make it available, it's not.
 
Okay, so nobody can do anything unusual with jailed SSH unless given the application to do it?

And all one needs to watch is the applications they give?

Why do so many hosts not offer SSH access at all?
 
Why do so many hosts not offer SSH access at all?
Click to expand...

Just in case something goes boom and your server gets ----ed? If it's not required by the hostee for a legit reason, then don't give it by default.
 
Yes and no. The thing is, with most scripting languages offering a "system" command, you can essentially do anything you could at a shell prompt right in a php script. This is even scarier than offering SSH, as at least with SSH2, you're dealing with an encrypted program. With a php script, unless you're utilizing https you are sending unencrypted data which could be sniffed along the way.

In the end, I think the biggest reason they do not offer SSH is a combination of leftover fears from telnet's insecurities, and the fear that a user is going to do something like compile a resource monster if they give them something like gcc.
 
I see,

I'm asking because there seems to be two types of people:

1) "Of course you can't expect SSH. Are you stupid?!?"

2) "I need SSH. Why can't you offer me?"

Nobody from the first type has ever explained their rationale, and I can't really trust the second type - they are the ones who want the access in the first place.
 
Their is people, like me, who rather have SSH access with a package because its easier to remove things etc than using ftp.
 
azoundria said:
I see,

I'm asking because there seems to be two types of people:

1) "Of course you can't expect SSH. Are you stupid?!?"

2) "I need SSH. Why can't you offer me?"

Nobody from the first type has ever explained their rationale, and I can't really trust the second type - they are the ones who want the access in the first place.
Click to expand...

I agree completely on the second bit, and it's not necessarily malicious intent, they just may not know what potential dangers there are. As for the people who do not want to give out SSH, I think they're probably talking about a regular SSH account, not a jailed account. Regular accounts can generally compile programs, execute commands, and do all sorts of other things. Not that you can't cause the same damage through a script, but it adds a layer of difficulty to accidentally messing up the server through compiling something like an IRC daemon that fork bombs.

I see someone gave me a negative rep for my last post of "get the facts right b4 u talk." I welcome "u" to correct me ;)
 
You must log in or register to reply here.
Back
Top