Are you giving SSH to your customers?

6 posts / 0 new
Last post
#1 Sun, 07/12/2009 - 05:09
xps

Are you giving SSH to your customers?

Hey,

the topics said it already - are you giving SSH login to your customers? I tend to say no - because they dont land in a jail - or did i miss where i can configure running jails on a Debian server?

Thanks

Sun, 07/12/2009 - 09:24
andreychek

Like yourself, a lot of people i know are leary about giving out SSH access to customers.

A way I've seen some folks handle this is to require some form of identification if a customer wants to have SSH access.

That makes a customer less likely to try anything funny, but you also have information you can hand over to law enforcement if something does happen.

Of course, just about anything a customer can do or access via SSH can also be accessed via any code they upload onto your server. The only thing SSH does is make it a bit easier.

-Eric

Mon, 07/20/2009 - 06:05
Graeme

I am testing 2 deployments of VirtualMin as a possible hosting platform at the moment, one on CentOS and one on Debian 5.

I got a message from my hosting provider this weekend after the disabled my CentOS server they believed it had been compromised using one of the SSH accounts on one of virtual hosts. There was foolishly a user named test (pw: test) which was involved in DOS type activity.

My question is how much access do users get when setup by VirtualMin, I would have assumed (maybe incorrectly) that they could play with files in their home folder and maybe run a couple of scripts with similar access.

Am I being rather naive?

Mon, 07/20/2009 - 09:23 (Reply to #3)
andreychek

Users are given full access to all the files in their home directory.

Whatever access they receive beyond that is defined by the permissions setup on the server. This generally implies that users wouldn't be allowed to do things they shouldn't be doing :-)

One of the features of Virtualmin (and any other web-hosting control panel) is that it does allow Virtual Server owners and Resellers to create accounts via the web interface, if they're setup with permissions to do so.

If you want to have some added security for the passwords, I believe you can make Virtualmin double-check password strength by going into Webmin -> System -> Users and Groups -> Module Config -> Password Restrictions, and from there you can setup things like minimum password lengths.

Make sure that you test that it's working as expected before relying on it though :-)

-Eric

Mon, 07/20/2009 - 08:31
xps

If they have SSH acces they have the same kind of access like you have - only stoped by hopefully not knowing the root pass and hopefully not beeing ablt to hack it.

(i know its not 100% true - but you should think that way tbh)

Mon, 07/20/2009 - 10:11
xps

Hey Eric,

i assumed hes giving SSH access to the users :)

Topic locked