Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

Forums
Forums

Quick Links
- Search Forums
- New Posts
Search titles only

Posted by Member:

Separate names with a comma.

Newer Than:

Search this thread only

Search this forum only

Display results as threads

More...

Useful Searches

Recent Posts
Resources
Resources

Quick Links
Feature Requests
Defects
Menu

This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is the SSHTerm utility more secure than regular SSH access?

Discussion in 'Security' started by jols, Apr 5, 2012.

jols Well-Known Member

Joined:

Mar 13, 2004

Messages:

1,111

Likes Received:

2

Trophy Points:

168

Is the SSHTerm utility more secure than regular SSH access?

Years ago, we removed SSH access from our feature list on the advice of our security geeks because this form of access heightened the security vulnerability of the entire server.

But of course from time to time we receive a request for ssh access and frankly I am getting tired of saying "no". So overall, my question is this - Is there a more secure method that we can allow to enable our hosted members to make command line entires to do stuff like untarring and what not?

Thanks very much.

#1 jols, Apr 5, 2012
cPanelTristan Quality Assurance Analyst
Staff Member

Joined:

Oct 2, 2010

Messages:

7,609

Likes Received:

31

Trophy Points:

238

Location:

somewhere over the rainbow

cPanel Access Level:

Root Administrator

If you provide jailed shell access to those users, they should only be able to run a subset of SSH commands. Jailed shell access can be enabled in WHM > Manage Shell Access area.

Of note, cron access allows running commands that are similar to SSH access, so if there was a security concern, crons likely would have needed to be disabled as well due to the inherent ability for crons to run commands.

cPResources: Support Options | More Support Options | Forums Search | cPanel.net Site Search | Mailing Lists(Alt) | Docs
-- Tristan, Technical Analyst III, Forums Specialist, cPanel Tech Support

Submit a ticket | Check an existing ticket

#2 cPanelTristan, Apr 6, 2012
jols Well-Known Member

Joined:

Mar 13, 2004

Messages:

1,111

Likes Received:

2

Trophy Points:

168

cPanelTristan said: ↑

If you provide jailed shell access to those users, they should only be able to run a subset of SSH commands. Jailed shell access can be enabled in WHM > Manage Shell Access area.

Of note, cron access allows running commands that are similar to SSH access, so if there was a security concern, crons likely would have needed to be disabled as well due to the inherent ability for crons to run commands.
Click to expand...

Thanks Tristan. I have a follow up question about crons if you don't mind:

This is a little surprising, but I just want to make sure that crons do not run commands as the server's root user, but rather, if they are set by the cron utility in the individual cPanel, whatever crons are there are run via THAT individual cPanel user. Correct? If so, then I don't see a huge problem with this. But point taken in any case. Thank you.

#3 jols, Apr 6, 2012
cPanelTristan Quality Assurance Analyst
Staff Member

Joined:

Oct 2, 2010

Messages:

7,609

Likes Received:

31

Trophy Points:

238

Location:

somewhere over the rainbow

cPanel Access Level:

Root Administrator

Yes, cPanel account level cron jobs run as the individual user rather than as root, but if you aren't providing shell access of any sort to the user, it can be surprising to some people that crons allow the user to run commands (such as cp, mv, scp, etc.) as if the user had a shell.

cPResources: Support Options | More Support Options | Forums Search | cPanel.net Site Search | Mailing Lists(Alt) | Docs
-- Tristan, Technical Analyst III, Forums Specialist, cPanel Tech Support

Submit a ticket | Check an existing ticket

#4 cPanelTristan, Apr 8, 2012
jols Well-Known Member

Joined:

Mar 13, 2004

Messages:

1,111

Likes Received:

2

Trophy Points:

168

Okay, one more related question if you don't mind.

If we provide the SSHTerm utility in cPanels that we host, does this by default also mean that the cPanel account user could then just use putty or firessh to access their accounts via SSH?

I would hope not, because if they have to go through their cPanels to enter ssh commands via SSHTerm, then at least this would still prevent direct/remote ssh access (using an ssh client). Yes?

#5 jols, Apr 14, 2012
cPanelTristan Quality Assurance Analyst
Staff Member

Joined:

Oct 2, 2010

Messages:

7,609

Likes Received:

31

Trophy Points:

238

Location:

somewhere over the rainbow

cPanel Access Level:

Root Administrator

If you provide the SSHTerm, you'd have to provide jailed shell or regular shell access for the account. Those access levels allow any SSH program to work for that user to connect to the account.

cPResources: Support Options | More Support Options | Forums Search | cPanel.net Site Search | Mailing Lists(Alt) | Docs
-- Tristan, Technical Analyst III, Forums Specialist, cPanel Tech Support

Submit a ticket | Check an existing ticket

#6 cPanelTristan, Apr 15, 2012

(You must log in or sign up to post here.)

Share This Page