Fellow Admins,

Please share your experiece/views on whether shell access should make an admin nervous.

What sort of things can users do in a Jailed shell?
How would you track a naughty user?

Would you disable shell access globally if you find one of your users is doing somthing beyond their /home?

Thanks

Don't allow it if you don't need to. Right now, none of my users have any ssh accounts. I've had a couple people ask me if they can have ssh, and I ask why, and the never have legitimate reasons (one guy said he'd need root to run his scripts...okay buddy). Unless the users have a valid reason for it, there's no sense in giving it to them.

I agree. I don't enable shell access by default and have separate terms and conditions for shell access, but never though of asking users to justify their need for it.

Very useful comment.

ok

again
that's not that you can do using SSH that you can't do using Perl/PHP/Python/C/crontab

big discussion here:
http://www.webhostingtalk.com/showthread.php?s=&threadid=276902

If you setup the jail right, you don't have to worry.

You should have your permissions setup so no one can access (besides executing standard programs like their shell, etc.) the files outside of /home.

I block off SSH to everyone but myself by putting my IP in hosts.deny. If someone wants jail, they have to give me a static IP that I can allow into the server.

Originally posted by 2uantuM
I block off SSH to everyone but myself by putting my IP in hosts.deny. If someone wants jail, they have to give me a static IP that I can allow into the server.

You mean hosts.allow I hope.

Chris

Originally posted by EMT-Chris
You mean hosts.allow I hope.

Chris

lol. Keeping your systems safe - From you.

No, hosts.deny.. for example:

sshd: ALL EXCEPT 204.186.0.*

You could use hosts.allow,yeah, but it doesn't matter.

Originally posted by 2uantuM
No, hosts.deny.. for example:

sshd: ALL EXCEPT 204.186.0.*

You could use hosts.allow,yeah, but it doesn't matter.

I suppose thats true, however from my perspective, that seems unorganzed in the sense that you're allowing traffic in a document labled to deny traffic.

Whatever floats your boat I guess. :D

Chris

Plugging in the ethernet cable makes me nervous, everything after that is just "more fuel on the fire". If I had my way php would be safe mode/phpsuexec/jailed, no cgi other than that, no shell at all but customers wouldn't be happy about that :)

Originally posted by Dixiesys
Plugging in the ethernet cable makes me nervous

Heehee.. I hear that!

Chris

The power makes me nervous. What about you?