The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Limiting SSH (Shell)

Discussion in 'General Discussion' started by silvernetuk, Mar 5, 2003.

  1. silvernetuk

    silvernetuk Well-Known Member

    Joined:
    Sep 2, 2002
    Messages:
    311
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    United Kingdom
    Hi,

    I have been told it is possible to limit SSH (Shell) access to my clients.

    I don't really want my clients with SSH (Shell) access coming out of /home/USERNAME/ or something that will stop them cd out side of /home/USERNAME/

    I have heard of 3 programs that can do this:
    rbash, rcsh, rksh

    Which one would be the best one ? and how do I go about add clients to them ?

    Will any of the above affect Root SSH access for username: root ?

    Regards,
    Garry
     
  2. pingo

    pingo Well-Known Member

    Joined:
    Nov 16, 2002
    Messages:
    430
    Likes Received:
    0
    Trophy Points:
    16
    Why not use "Manage Shell Access" in WHM to enable/disable SSH access for clients?

    John
     
  3. rbmatt

    rbmatt Well-Known Member

    Joined:
    Oct 21, 2002
    Messages:
    212
    Likes Received:
    0
    Trophy Points:
    16
    He still wants them to have access, just less than what that gives them. Some programs require shell to be installed, but shell is (IMHO) unsafe as-is.
     
  4. pingo

    pingo Well-Known Member

    Joined:
    Nov 16, 2002
    Messages:
    430
    Likes Received:
    0
    Trophy Points:
    16
    Oh - interesting. I would like to know if that is possible as well.

    John
     
  5. ozzi4648

    ozzi4648 Guest

    Neither is an option. If you give shell access users can go all over your system looking at files and private information. We just suspended sombody for it. Cpanel cant seem to give us a chroot environment to lock people into their own webspace. The subject has been hashed and re hashed time and time again with no resolution.
     
    #5 ozzi4648, Mar 7, 2003
    Last edited by a moderator: Mar 8, 2003
  6. silvernetuk

    silvernetuk Well-Known Member

    Joined:
    Sep 2, 2002
    Messages:
    311
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    United Kingdom
    Hi,

    Where do I make a request to cpanel for them to add this feature ? I also think the more people that request this, the more likely they will do it

    Regards,
    Garry
     
  7. Juanra

    Juanra Well-Known Member

    Joined:
    Sep 22, 2001
    Messages:
    777
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Spain
    Has anyone tried the pam_chroot.so module for sshd?
     
    #7 Juanra, Mar 9, 2003
    Last edited: Mar 10, 2003
  8. Juanra

    Juanra Well-Known Member

    Joined:
    Sep 22, 2001
    Messages:
    777
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Spain
  9. Esr Tek

    Esr Tek Active Member

    Joined:
    Aug 5, 2002
    Messages:
    44
    Likes Received:
    0
    Trophy Points:
    6
    Cpanel really needs to limit the ability of what and where ppl can go w/ SSH.

    I would think they are working on this, but can anyone confirm?
     
  10. Juanra

    Juanra Well-Known Member

    Joined:
    Sep 22, 2001
    Messages:
    777
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Spain
    I have been playing with jail on a test user account and it seems to work well. It isn't difficult to set up either, although you can't follow the install instructions to the letter because it will overwrite the user's passwd and shadow files (the ones in the user's homedir), but if you first make a backup copy of the user's homedir you can add the existing entries to the generated files.

    It first installs an initial set of basic apps and has a script that adds more programs if you need them (it tries to detect which libraries it needs and installs them as well).

    I know that this adds no extra security (at least not if you offer CGI support), but, is there any escapist around?
     
  11. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    Just want to keep up to date on this topic. By the way, how do you tell whether a certain user has been moving outside his directory? I haven't opened up shop just yet, so I haven't had any experience with this stuff before.
     
  12. alterahosting

    alterahosting Member

    Joined:
    Oct 19, 2002
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    If a user has a CGI-script that "enables" SSH on their account, I don't believe chroot can do a thing about it. Correct me if I'm wrong.

    Thanks,
    Dan
     
  13. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    Well there is a trick that can be done. But it takes quite a while to setup and requires some programming.

    We did this for Corporation one time (expensive).
    They wanted the level 1 admins to have limited access as to what they could do in ssh.

    So we built a menuing system, that only had certain functions built in. For example if they issued a kill command it would only kill processes started with their ID and would confirm first. Also everything was logged into the /root directory so no-one had access to it.

    We had it to the point of allowing viewing of processes and starting of applications, but denying stopping applications.

    It was very neat and probably could be re-written to fit into the cpanel arena. The way it worked is that the menu was their shell.

    So instead of their shell being /bin/bash it would be /bin/menu
    and they were locked into it.


    Just a thought.
     
  14. Juanra

    Juanra Well-Known Member

    Joined:
    Sep 22, 2001
    Messages:
    777
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Spain
    That's why I said "this adds no extra security" (as long as you allow your users to execute their own CGI scripts, which I imagine happens in 99.9% of Cpanel boxes anyway).
     
    #14 Juanra, Mar 12, 2003
    Last edited: Mar 12, 2003
  15. s3kk3y

    s3kk3y Well-Known Member

    Joined:
    Oct 12, 2002
    Messages:
    94
    Likes Received:
    0
    Trophy Points:
    6
    Juanra,

    Can you be so kind as to write a howto install jail chroot?

    I do not allow SSH access on my servers, but I have one user that needs it.

    I have a copy of his lisense for security reasons, but i want to jail his access as well.
     
  16. Juanra

    Juanra Well-Known Member

    Joined:
    Sep 22, 2001
    Messages:
    777
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Spain
    I'm afraid that the way this works conflicts with Cpanel's mail system. There appear a lot of bogus email accounts when listing them in Cpanel. I haven't found a workaround yet.
     
  17. mweb

    mweb Member

    Joined:
    Mar 11, 2003
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
  18. Esr Tek

    Esr Tek Active Member

    Joined:
    Aug 5, 2002
    Messages:
    44
    Likes Received:
    0
    Trophy Points:
    6
    I am not sure where I seen this :confused:
    www.admin0.com
    It has some good tips on securing servers from "script kiddies".

    I don't know how well it works, but gotta be better than nothing

    However it still won't solve the problem w/ SSH.

    *hint* I imagine Cpanel is working on this major securtoy flaws w SSH now"
     
  19. pingo

    pingo Well-Known Member

    Joined:
    Nov 16, 2002
    Messages:
    430
    Likes Received:
    0
    Trophy Points:
    16
    Thanks for the link Esr Tek :)

    John
     
Loading...

Share This Page