jailed ssh

[Vertigo]

Is it possible to enable jailed ssh for end users in a VPS environment? Some of my clients have been requesting ssh access for a while now, but I don't want to enable access unless I'm sure it's secure. So, is it even possible for me to enable jailed ssh for users?

[JeremyWJ]

Quote:

Originally Posted by Vertigo

Is it possible to enable jailed ssh for end users in a VPS environment? Some of my clients have been requesting ssh access for a while now, but I don't want to enable access unless I'm sure it's secure. So, is it even possible for me to enable jailed ssh for users?

Well, technically you might be able to, but its almost impossible to really do so.

There are ways to provide secure ssh though.

The trick is to make sure that everyone is using the correct permissions.

Your operating system will have all the correct permissions by default set on all the system stuff so you have no issue there.

The main issue to consider is the /home directory and all its sub-directories.

I'll go through a list with you here that will help you ensure its secure.

1) Make sure ever user is in their own group. If you have every user in the same group such as "users" it presents a problem where the users will probably be able to read other users files. If the username is "john" place then in the group "john". The main reason for doing this is so apache (your webserver) can access the files also. Basically apache should be added to the group of each user. So like apache should be part of the apache group and the john group (along with all other users you have created)

2) Make sure that the /home directory is mode 755 (chmod 755 /home). This will prevent users from being able to edit anything in this directory

3) Make sure no files or directories anywhere inside the /home directory have the other bit set to read, write, or execute. The best way to ensure this is to change them all at once. Issue the command: chmod -R 660 /home/*

4) To ensure that newly created files do not assume the other read and write bits, you need to specifically set umode to remove them. Umode 007 will fix this. Edit the file /etc/bashrc

You should see a section that looks like the following

Code:

if [ $UID -gt 99 ] && [ "`id -gn`" = "`id -un`" ]; then
        umask 007
else
        umask 022
fi

Make sure that the first umask is 007 and the second is 022.

5) Since your users probably upload/edit most of their files through FTP make sure your FTP server is also set to umask files to 007. The configuration of this depends on your FTP server of choice, so you will have to google this one (or tell me which one you use so I can show you how).

6) Make sure you follow suggestion #1

7) Educate your users. Make sure they understand that they should never set the "other" bit mode on their files or directories to anything but 0 if they don't want others possibly accessing them.

8) The last bit of security you may not realize is the webserver itself if they have access to one. If you allow your users to run PHP or Perl (or other CGI) scripts then you already have a huge security hole. Make sure you are using Suexec for all CGI scripts including PHP. The other option to secure PHP is to use suphp and Suexec for Perl and all other CGI scripts/apps.

------------

If you follow the above 8 suggestions to a tee you will have a good secure environment for you and your users with shell and web access.

[Amelia]

Quote:

Originally Posted by Vertigo

Is it possible to enable jailed ssh for end users in a VPS environment? Some of my clients have been requesting ssh access for a while now, but I don't want to enable access unless I'm sure it's secure. So, is it even possible for me to enable jailed ssh for users?

Jailed Shell offers a shell user very limited and restrictive environment.

If you're using cPanel/WHM you can enable shell access for a user from "Manage Shell Access" option.

[JeremyWJ]

Quote:

Originally Posted by Amelia

Jailed Shell offers a shell user very limited and restrictive environment.

If you're using cPanel/WHM you can enable shell access for a user from "Manage Shell Access" option.

Jailed ssh can easily be broken out of by knowledgeable users. No matter what you do you should take my suggestions. Even if you don't offer SSH access at all, if you give them web access with PHP and other cgi scripts/apps they already have full ability do to stuff they could with actual SSH.

[squishy]

Yeah, cPanel's jailed ssh features aren't completely secure. I've had a shared cPanel hosting account once in the past where I was provided with jailed ssh access. Maybe they didn't set up their jailed ssh environment properly, though, since I found I was able to access stuff that I shouldn't have been able to access, and that was all by accident. Really, it was an accident. >_<

Personally, I find giving ssh access to customers in shared hosting to be too much of a risk. VPS or dedis are a different story, though.

[Vertigo]

Thanks for the comprehensive and detailed guide, Jeremy! It looks it worked and there are no complaints so far. I think I'll copy that guide down in case I'll need it again.