ssh support

[joubertredrat]

Hi guys,

I'm looking here, why not ssh support to sentora? I think that is good idea to implement ssh chroot jail on accounts to provide ssh access.
Then, user can create N ftp accounts, can be create N ssh accounts too.

What do you think? good idea? let's discuss

[elijahbate]

I don't understand why you'd want to put in a "potential" major security hole, for the sake of letting users create ftp accounts...

Is there any other reason for ssh access?
Elijah

[apinto]

This is actually some interesting feature, but needs to be done with very care because it can expose the whole server if a mistake is made.

But to answer joubertredrat question about "why not?" I can tell almost for sure that this is not essential, can create other critical issues and will steer the dev team from the main objective of sentora.

I vote for this, but as a module, not on core sentora.

[joubertredrat]

I don't understand why you'd want to put in a "potential" major security hole, for the sake of letting users create ftp accounts...

Is there any other reason for ssh access?
Elijah

Is normal to use ssh on hosting to install or manage applications, PHP as example, you can need to run composer do get dependences or wget to download source to run application.

This is actually some interesting feature, but needs to be done with very care because it can expose the whole server if a mistake is made.

But to answer @[joubertredrat] question about "why not?" I can tell almost for sure that this is not essential, can create other critical issues and will steer the dev team from the main objective of sentora.

I vote for this, but as a module, not on core sentora.

Yes, can be a module, I can develop this and test here and if works, I publish for test.

[elijahbate]

I've just never seen that in a standard shared hosting environment.
I can understand the benefits that way but just I would think most people that would do that would get a cloud or vps hosted or pre deploy

Elijah

[TGates]

I have no idea how you think this would work with Sentora. The current server permissions do not allow for this. How would you manager to lock each person down to their own folders? Each SSH user would need their own account on the server. Me.B can shed some more light on this topic.

[apinto]

elijahbate Actually a lot of shared host providers give SSH access to some degree (HostGator for example).

But this really needs tight control.

[Me.B]

Sandboxing SSH is not an easy task and you would check any guides over hardening CPANEL and you will see first requirement don't ever provide SSH.

We can provide TLS for FTP without having to move offer SSH that will require first of all setting a USER on the box per account created while here we are using virtual users that don't even exist or have permissions on the server and use sandboxing for each service ( ftp/apache/php).

I don't like the idea to offer SSH in shared hosting. Currently VPS like openVZ offer more suitable sandboxing for the low end and you can get rock solid sandboxing using full VM hypervisors like xen/hyperV/Vmare.

M B

[joubertredrat]

I have no idea how you think this would work with Sentora. The current server permissions do not allow for this. How would you manager to lock each person down to their own folders? Each SSH user would need their own account on the server. @[Me.B] can shed some more light on this topic.

Because this I saw ssh chroot jail, not pure ssh.

With chrooted jail is possible to create minimal and isolated environment.

http://www.sdri.co.jp/rssh/CHROOT_en.html 

https://www.debian.org/doc/manuals/secur...nv.en.html
http://allanfeid.com/content/creating-ch...ssh-access


I will see if I have time to develop a small alpha to show this working on sentora.

[TGates]

Because this I saw ssh chroot jail, not pure ssh.

With chrooted jail is possible to create minimal and isolated environment.

http://www.sdri.co.jp/rssh/CHROOT_en.html 

https://www.debian.org/doc/manuals/secur...nv.en.html
http://allanfeid.com/content/creating-ch...ssh-access


I will see if I have time to develop a small alpha to show this working on sentora.

Ok, that would be cool!