The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SSH

Discussion in 'General Discussion' started by purplepaws, Jan 26, 2002.

  1. purplepaws

    purplepaws Well-Known Member

    Joined:
    Jan 15, 2002
    Messages:
    153
    Likes Received:
    0
    Trophy Points:
    16
    Hi,

    I am strating to sell reseller accounts but am concerned about SSH access.

    Is it correct that when you give SSH access to an account they can move around the entire server via SSH? This way they can see all the other account on the server!

    I know there isnt a way of removing the option for resellers to enable SSH for a resold account but is there a way to disable tlenet/SSH access server wide except for the root user?

    Sorry if I am being a bit thick here.

    Cheers.
     
  2. kosmo

    kosmo Well-Known Member

    Joined:
    Aug 12, 2001
    Messages:
    403
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    All over Europe
    I have chmod 711 /home/

    All new accounts /home/user are automaticallly chmod 711.

    Other users still can read any public file if they know the exact /path/to/file.ext (for example /home/user/public_html/index.html).

    But they get a \"permission denied\" if they try to get another user\'s directory listed. And if they use wildcards trying to guess filenames, it won\'t work either.

    kosmo
     
  3. Craig

    Craig Well-Known Member

    Joined:
    Aug 10, 2001
    Messages:
    171
    Likes Received:
    0
    Trophy Points:
    16
    Just edit the /etc/passwd and change all users that you don\'t wish to grant ssh access to:
    /usr/local/cpanel/bin/noshell

    Other than that, the only thing to do is to do what kosmo said and chmod the home dir\'s.

    C.
     
  4. purplepaws

    purplepaws Well-Known Member

    Joined:
    Jan 15, 2002
    Messages:
    153
    Likes Received:
    0
    Trophy Points:
    16
    Hi,

    Okay I can see how to edit the etc/passwd file.

    I dont really understand about CHMOD\'ing the /home. Do I have to do this to just the /home dir?
     
  5. hedgehog

    hedgehog Well-Known Member

    Joined:
    Nov 3, 2001
    Messages:
    122
    Likes Received:
    0
    Trophy Points:
    16
    All you need to do is login SSH and then

    # chmod 711 /home/

    That should get the trick done.

    Hedgy
     
  6. purplep

    purplep Well-Known Member

    Joined:
    Feb 6, 2002
    Messages:
    59
    Likes Received:
    0
    Trophy Points:
    6
    Hi,

    CHMOD'ing the home dir.

    Do I need to do this just once or everytime an account is created?

    Thanks.
     
  7. ehsan

    ehsan Well-Known Member

    Joined:
    Dec 11, 2001
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    16
    guys, if we do chmod 711 for /usr /home /xxx /boot /sbin /bin /var /etc /lib /....
    it wont make any problem for scripts or users ?
    we want to limit the access of users in SSH, right now they can look around and that makes me afraid...
    or is there any other better way to limit the user to stay just in his root ?
     
  8. feanor

    feanor Well-Known Member

    Joined:
    Aug 13, 2001
    Messages:
    836
    Likes Received:
    0
    Trophy Points:
    16
    IMHO, you will have problems.
    You can tighten down certain areas, but if you meddle with the contents of /etc, and /usr and var.... and things within, you will damage the functionality of vital services unless you do a VERY thorough job.

    This is always a catch-22
    If you are going to allow users to ssh in, your best defense is to have diligent admins running around your shared hosting machines with them.

    Keep an eye on the kidz and wall threatening things every so often and then you'll be the scariest creature in the galaxy.
     
  9. ehsan

    ehsan Well-Known Member

    Joined:
    Dec 11, 2001
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    16
    So there is no way to force them to stay just in their dir ?
    I wont give shell access to any body in that case!
    one client in his first day was trying to run all scripts in /sbin ;)
     
  10. moronhead

    moronhead Well-Known Member

    Joined:
    Aug 12, 2001
    Messages:
    706
    Likes Received:
    0
    Trophy Points:
    16
    [quote:7ae2426f2d][i:7ae2426f2d]Originally posted by ehsan[/i:7ae2426f2d]

    So there is no way to force them to stay just in their dir ?
    I wont give shell access to any body in that case!
    [/quote:7ae2426f2d]
    Let's be honest... Of course there are ways to force users to stroll strictly in their home dir, but you may not be able to get that info in this forum. It is a kind of well-guarded secret. I don't think people will be willing to give away that type of competitive data. ;)

    Put a search in Google or try to visit the Linux tutorial sites for an answer.
     
  11. zex

    zex Well-Known Member

    Joined:
    Aug 12, 2001
    Messages:
    98
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Well only way to keep users from looking around the system is to implement few methods of securing system like patching kernel
    with grsecurity patches and put users in chrooted enviroment (they will see only they dir and nothing else) or giving users Restricted Bash shell (rbash) actualy that is normal bash but started with options -r.

    Making of chrooted enviroment is very dificult and in the most situations is not worth of time that will you spend for something like that. Not to mention what all kind of problems will you have to make rest of services/deamons to work.

    In the other way restricted bash is preaty efficient way to stop users from snooping around, in combination with proftpd with
    DefaultRoot ~ is definitly one of the best way's to prevent someone to see how much domains do you have.
    On the other hands that will probobly not stop some user script that is executed to list directory's or to cat /etc/passwd
    BTW puting chmod 711 on /etc/ /home and /usr dir will not harm cpanel. I'v already check that.
     
Loading...

Share This Page