The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is the SSHTerm utility more secure than regular SSH access?

Discussion in 'Security' started by jols, Apr 5, 2012.

  1. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Is the SSHTerm utility more secure than regular SSH access?

    Years ago, we removed SSH access from our feature list on the advice of our security geeks because this form of access heightened the security vulnerability of the entire server.

    But of course from time to time we receive a request for ssh access and frankly I am getting tired of saying "no". So overall, my question is this - Is there a more secure method that we can allow to enable our hosted members to make command line entires to do stuff like untarring and what not?

    Thanks very much.
     
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    If you provide jailed shell access to those users, they should only be able to run a subset of SSH commands. Jailed shell access can be enabled in WHM > Manage Shell Access area.

    Of note, cron access allows running commands that are similar to SSH access, so if there was a security concern, crons likely would have needed to be disabled as well due to the inherent ability for crons to run commands.
     
  3. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Thanks Tristan. I have a follow up question about crons if you don't mind:

    This is a little surprising, but I just want to make sure that crons do not run commands as the server's root user, but rather, if they are set by the cron utility in the individual cPanel, whatever crons are there are run via THAT individual cPanel user. Correct? If so, then I don't see a huge problem with this. But point taken in any case. Thank you.
     
  4. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Yes, cPanel account level cron jobs run as the individual user rather than as root, but if you aren't providing shell access of any sort to the user, it can be surprising to some people that crons allow the user to run commands (such as cp, mv, scp, etc.) as if the user had a shell.
     
  5. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Okay, one more related question if you don't mind.

    If we provide the SSHTerm utility in cPanels that we host, does this by default also mean that the cPanel account user could then just use putty or firessh to access their accounts via SSH?

    I would hope not, because if they have to go through their cPanels to enter ssh commands via SSHTerm, then at least this would still prevent direct/remote ssh access (using an ssh client). Yes?
     
  6. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    If you provide the SSHTerm, you'd have to provide jailed shell or regular shell access for the account. Those access levels allow any SSH program to work for that user to connect to the account.
     

Share This Page