Is the SSHTerm utility more secure than regular SSH access? Years ago, we removed SSH access from our feature list on the advice of our security geeks because this form of access heightened the security vulnerability of the entire server. But of course from time to time we receive a request for ssh access and frankly I am getting tired of saying "no". So overall, my question is this - Is there a more secure method that we can allow to enable our hosted members to make command line entires to do stuff like untarring and what not? Thanks very much.
If you provide jailed shell access to those users, they should only be able to run a subset of SSH commands. Jailed shell access can be enabled in WHM > Manage Shell Access area. Of note, cron access allows running commands that are similar to SSH access, so if there was a security concern, crons likely would have needed to be disabled as well due to the inherent ability for crons to run commands.
Thanks Tristan. I have a follow up question about crons if you don't mind: This is a little surprising, but I just want to make sure that crons do not run commands as the server's root user, but rather, if they are set by the cron utility in the individual cPanel, whatever crons are there are run via THAT individual cPanel user. Correct? If so, then I don't see a huge problem with this. But point taken in any case. Thank you.
Yes, cPanel account level cron jobs run as the individual user rather than as root, but if you aren't providing shell access of any sort to the user, it can be surprising to some people that crons allow the user to run commands (such as cp, mv, scp, etc.) as if the user had a shell.
Okay, one more related question if you don't mind. If we provide the SSHTerm utility in cPanels that we host, does this by default also mean that the cPanel account user could then just use putty or firessh to access their accounts via SSH? I would hope not, because if they have to go through their cPanels to enter ssh commands via SSHTerm, then at least this would still prevent direct/remote ssh access (using an ssh client). Yes?
If you provide the SSHTerm, you'd have to provide jailed shell or regular shell access for the account. Those access levels allow any SSH program to work for that user to connect to the account.
