shell accounts

    Quote from Cool


    @maur
    i don´t think that will be good idea overall.


    if a user need help then he allways can give a temporary ftp access to that person. so not more easy than that.


    Ohhhh.
    I'm not alone with this.
    Shell (if enabled for reseller) is far more usable then ftp. not saying about copying login, passwords etc.
    apart of that - I have few resellers which are taking care of domain for their customers. Some kind of lite support. Call it what you want - point is customer are not login into panel even and if my reseller would tell them "create account for me and I will change/fix it".. ;)
    Anyway - I think it's better to have some idea, solution for it, then don't.
    It can be optional (access to users of reseller files), or optional can be some post-add-domain hook which will remove it - I don't care which way.


    Maybe I gave you somewhere bad idea - but I'm not forcing this solution as some universal default behaviour.
    Users will be separated from domain names - this is settled already - and after that I can enable shell access, adjust permissions and so on so on in the plugin, so.. so here, I just wanted to talk, maybe someone have better ideas how to solve this issue which I need (and maybe someone else needs it too)




    Sorry if I sound not nice, I just have hard monday. ;)

    For the record:


    Since the begin I let you talk but now, I'll give my opinion.


    I'm against using sudo to provide ssh access. I prefers a global chroot environment with busybox as wrapper to provide set of commands (or a script that copy a defined list of commands). You must not forget that we are in shared hosting environment. I've never seen one panel that implement such kind of feature by simply using sudo and some permissions. Now, as I say, it's only my opinion.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

    SSH key for online support
    Quote from Nuxwin


    For the record:


    Since the begin I let you talk but now, I'll give my opinion.


    Thank you. ;-)


    Quote from Nuxwin


    I'm against using sudo to provide ssh access I prefers a global chroot environment with busybox as wrapper to provide set of commands (or a script that copy a defined list of commands). You must not forget that we are in shared hosting environment. I've never seen one panel that implement such kind of feature by simply using sudo and some permissions. Now, as I say, it's only my opinion.


    I'm not forgeting this, that's one of the main reasons I started this thread to hear your thoughts. Because 1 you trust your shared users less then I trust mine, 2 different hostings, different needs. ;)
    If nobody needs feature to access users accounts from reseller as an option - then no problem, I will make myself a plugin and do not even think about changing anything in current version. :-)


    (Still, if someone will have better idea than sudo/ssh user@localhost/ I'd appreciate letting me know this idea)


    Sound like you take my sentence bad... Do not.. It's just my opinion. ;)

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

    SSH key for online support
    Quote from Nuxwin


    Sound like you take my sentence bad... Do not.. It's just my opinion. ;)


    I took bad a little bit part about allowing me to say ;) But nothing more, trust me. :-)


    It's just I don't want too much offtopic since I noticed in some other threads it happens few times.;) And I'm still thinking about possible solution.



    Backing to the topic: ssh keys would allow also nicely test some problems with jails or chrooted ssh or sftp accounts only. Just small feature.

    In my opinion, shell access is absolutely dangerous. If you like to add such a feature, maybe you'll consider also to give the administrator a posibility (at the install or from the GUI, I don't know) to say "stop" to this feature. Again, in my opinion, it's a big security hole.

    Quote from Energymedia


    In my opinion, shell access is absolutely dangerous. If you like to add such a feature, maybe you'll consider also to give the administrator a posibility (at the install or from the GUI, I don't know) to say "stop" to this feature. Again, in my opinion, it's a big security hole.


    Yeah, it will be just an option to some trusted users, second option will be some restricted/chrooted/jailed shell, but default will be no shell :)


    Security hole, depends, I want to give it to a few developers I trust and have on server. ;)
    So don't worry :D

    Being able to offer shell access to a user would be a great feature, if done correctly so that security is less of a concern (i agree, chroot environments are better)


    The options needed would be, # of shell access accounts. and # of persistent running processes per account.


    I remember someone made something for ispcp that created shell accounts for ftp users. This was a great little hack, however, I never was able to get it working correctly on Ubuntu (though I run debian squeeze now and have not tried it.), and didn't have time to fix the problems. It may work flawlessly on debian.


    Does anyone remember this?: http://isp-control.net/forum/thread-7948.html


    I think it is a good start, and we could work from there possibly.

    Edited once, last by anarking ().

    Patching openssh is still a no go. If ssh has added support for it in vanilla openssh-server, or another stock ssh server that is available on debian it might be worth a look.


    Personally, I prefer ssh keys. You can load multiple public keys to an acct. They are not passwords, so you are not giving away passwords.


    Keys are also flexible, it is possible to change the shell based on which key is passed. Indefero git hosting does something like this in order to limit ssh users to only git operations and the like.


    Might be something to explore there.