Results 1 to 37 of 37
  1. #1

    Question Is ssh important to end users?

    Hello all,

    I've been reading everything in this great forum for the last week to gain more knowledge about this business and to help me choose a host. One of the features of a host I definitely want is end user support. I have a software background, but I think this will still very helpful to a newbie like me. Requiring end user support does greatly limit the choice of hosts. With the hosts that are left, it seemed for me that jodohost would be best for me. In addition to end user support, they also offer both Windows and Linux platforms, good choice of databases, unlimited Cold Fusion users, and good reviews on this forum.

    However, the one thing that they do not offer is ssh (except for VPS). As a software engineer (and a Linux guy), I personally couldn't imagine doing any kind of work on a remote host without access to ssh. But again that is just me. I know that a client can open a ticket with jodohost to have ssh tasks done for them, but this seems a little inconvenient for the client. I wanted to ask all you currently in the reselling business if this a serious limitation. Do end users frown on not having this capability (ssh), or do most not really care? If this is really a negative, I may look at other hosts with end user support as well as ssh such as HostingZoom instead.

    Thanks for all the help.

  2. #2
    Join Date
    May 2002
    Location
    Modesto, CA
    Posts
    3,414
    It really depends on the skill and level of competency of the customer. If the customer has design skills mostly they will not balk at not having SSH. If they do ANY kind of programming it's a requirement of theirs.

    Overall if you're close to your customer (Work with them) you can have policies for both types. Temporary shell after small background check, permanent shell if you trust em', no shell or limited shell that you monitor and eventually disable.

    It really depends on how closely you want to be to your customers and how tight you want to run your servers on how long, how many, and at what level they are given SSH access.
    dotGig
    <:<: [Fruit eating linux administrator]

  3. #3
    Hi Samuel,

    Thanks for the reply.

    If my host does not offer ssh, then neither can I as a reseller offer ssh to my clients. That is my understanding. Is that correct?

  4. #4
    Join Date
    May 2002
    Location
    Modesto, CA
    Posts
    3,414
    That is correct. The reseller (Under Cpanel) either has the ability to create accounts with SSH access, or the ability to create accounts with SSH access AND packages that offer SSH access.

    I'm assuming that those that don't offer SSH either don't intend to monitor the servers to the point of wanting to take the risk, or they just don't want the headache. We are small enough that we take each customer on a case by case basis but then that's at issue here. How much is the host willing to take a chance on you giving you ssh access.

    Since 2001 the majority of exploits come from worm attacks on outdated PHP scripts using a weak /tmp /var/tmp directory. If monitored even those exploits really don't go anywhere.

    It is so easy to do damage without SSH access that its an apples and oarnges thing. If they can do just as much damage without SSH then it comes down to the diligence you show to monitoring the services.
    dotGig
    <:<: [Fruit eating linux administrator]

  5. #5
    As you said, if ssh is monitored properly it shouldn't be an issue to a reseller. I guess some resellers still don't want to take a risk. There may also be a privacy issue. However, as you said, anyone doing any type of programming will need ssh, so I'm inclined to go back and reevaluate resellers that offer both end user support and ssh.

    Thanks for the help.

  6. #6
    Join Date
    May 2002
    Location
    Modesto, CA
    Posts
    3,414
    Not a problem, I hope you find what you're looking for, there's nothing better than SSH for managing large databases. In fact it's about the only way in Linux efficiently.
    dotGig
    <:<: [Fruit eating linux administrator]

  7. #7
    Yes, I agree. That is why I was a little surprised when I saw that Jodohost offered great databases (Oracle, MS SQL, MySQL, PgSQL) but no ssh support.

  8. #8
    Join Date
    May 2002
    Location
    Modesto, CA
    Posts
    3,414
    Hrm, odd, like buying a ferrari with a volkswagen engine.
    dotGig
    <:<: [Fruit eating linux administrator]

  9. #9
    Join Date
    Dec 2004
    Location
    San Francisco, CA
    Posts
    1,905
    There is nothing that can be done with SSH that you won't be able to achieve on our servers with our support and our control panel. We have many many linux customers that are developers and designers that are hosting popular sites without requiring any SSH access at all.

    The reason we do not allow SSH access is not because we do not monitor our servers, that's ridiculous. Our servers are significantly locked down and we do practise the highest levels of security. Any good security expert tells you that the more number of security layers there are, the better it is. Disallowing external or remote SSH access adds another security blanket around our servers and network.

    SSH when allowed leaves servers open to potential probing and abuse. We feel that we'd rather reject the few rare customers that require SSH in order to provide a safe, secure and stable hosting experience to the rest of our customers.
    init.me - Build, Share & Embed

    JodoHost.com - Windows VPS Hosting, ASP.NET and SQL Server Hosting
    8th year in Business, 200+ Servers. Microsoft Gold Certified Partner

  10. #10
    Join Date
    May 2002
    Location
    Modesto, CA
    Posts
    3,414
    Can your control panel handle a 300mb database? Believe me it wasn't an attack to your procedures, I also qualified my statements by stating I am assuming, in other words I didn't want to put much thought into your procedures.

    From experience the only viable way to deal with large databases is with SSH, or... if you're sitting at the server with a CD Burner.
    dotGig
    <:<: [Fruit eating linux administrator]

  11. #11
    Join Date
    Dec 2004
    Location
    San Francisco, CA
    Posts
    1,905
    Well, phpMyAdmin may not be able to restore a 300 mb database, but you can upload it your FTP account, talk with tech support over live chat right away and get the database restored within 15 minutes.

    You can perform any database operation except backup and restoration easily through the CP. Backups are made every 24 hours by us anyway so you could always request a dump or restoration whenever you may need through support.

    Disallowing SSH removes alot more potential security threats than many people realise...
    init.me - Build, Share & Embed

    JodoHost.com - Windows VPS Hosting, ASP.NET and SQL Server Hosting
    8th year in Business, 200+ Servers. Microsoft Gold Certified Partner

  12. #12
    Join Date
    May 2002
    Location
    Modesto, CA
    Posts
    3,414
    Ok, so I was right. A programmer would indeed need external support. You're contradicting yourself now and trying to make me look like a fish out of water. Please retract what you said or give me a cookie. Chocolate chip no less!
    dotGig
    <:<: [Fruit eating linux administrator]

  13. #13
    My reseller doesnt allow SSH due to the security aspect, but I can still use the php shell_exec() function
    I guess this is an oversight by the hosting company, but it helps me a bit!

  14. #14
    Join Date
    Dec 2004
    Location
    San Francisco, CA
    Posts
    1,905
    Originally posted by Samuel
    Ok, so I was right. A programmer would indeed need external support. You're contradicting yourself now and trying to make me look like a fish out of water. Please retract what you said or give me a cookie. Chocolate chip no less!
    I never contradicted myself. Re-read what I said:

    "There is nothing that can be done with SSH that you won't be able to achieve on our servers with our support and our control panel."

    How many developers have 300MB databases? Unless the database is very large, there are very very few things that cannot be done with the control panel. And those very very few things that may not be done via the CP would be needed by a very very few people. And in those cases, i'm sure they'd find support very helpful
    init.me - Build, Share & Embed

    JodoHost.com - Windows VPS Hosting, ASP.NET and SQL Server Hosting
    8th year in Business, 200+ Servers. Microsoft Gold Certified Partner

  15. #15
    Join Date
    May 2002
    Location
    Modesto, CA
    Posts
    3,414
    Different perspective, different customer base. How many developers have 300mb databases? You're asking me? I'm going to have to now clarify, enough to justify SSH access to them. Again, its up to your procedures what level of access you allow. Lots of differences here.
    dotGig
    <:<: [Fruit eating linux administrator]

  16. #16
    Join Date
    Sep 2000
    Location
    Alberta, Canada
    Posts
    3,109
    The question presented was, "Is ssh important to end users?"

    I would say, "Not to the majority of Clients with any Hoster."

    I would also agree that not providing SSH access as a default feature is no big thing. Sure, there are some things that a person familiar with SSH would find easier to do or more convientent but as stated, with Basic Hosting features and help from Support, 99% of Clients do not need nor want SSH access.

    For those that do it's a matter of opening a dialogue with the Hoster to discuss details, same as any other Support issue. Some Hosters do not provide SSH at all, for any reason, and some do after a relationship has been built. The only way to know for sure is to ask.
    PotentProducts.com - for all your Hosting needs
    Helping people Host, Create and Maintain their Web Site
    ServerAdmin Services also available

  17. #17
    Join Date
    Dec 2004
    Location
    San Francisco, CA
    Posts
    1,905
    and trying to make me look like a fish out of water
    haha
    I'm not trying to make you look bad, I am sorry if I came off that way. You as a company are free to practise policies that have worked for you. But if someone has questioned our policy, I surely would defend it
    init.me - Build, Share & Embed

    JodoHost.com - Windows VPS Hosting, ASP.NET and SQL Server Hosting
    8th year in Business, 200+ Servers. Microsoft Gold Certified Partner

  18. #18
    Join Date
    May 2002
    Location
    Modesto, CA
    Posts
    3,414
    Cheers! I think the thread though has focused what fairfax was after, and that ultimately is why I'm here. These services are complicated, it's good for customers to see things from all sides to make the best decision for themselves.

    I still want a chocolate chip cookie =( (Digs in the kitchen)
    dotGig
    <:<: [Fruit eating linux administrator]

  19. #19
    Join Date
    Jun 2004
    Posts
    109
    SSH has helped me a lot a few times.
    A while back, we were dealing with a 200MB+ SQL file and if it wasn't for SSH, transferring that db would have taken me ages :/
    Of course with SSH it was just a few commands and after a few seconds, you're done.


    Is SSH important to the end user? If you want to test something that can behave differently, depending on the hosts configurations, then SSH will save you a LOT of time.


    As a developer and Linux user, I think SSH access is an good plus to have in your hosting package.

  20. #20
    SSH is important to me. and anyone that knows how to work with a shell, also will cut down on some of your end user's bandwidth use. Alot of things people would use FTP for they can do internally with ssh.

  21. #21
    Hi Yash,

    Glad you jumped in here.

    My initial question was more about ssh, but the topic seems to have shifted more towards ssh and databases. The point is that ssh gives a user "full" access to the command line. Granted access to some commands may need to be disabled for security reasons. That is perfectly valid. Access to the command line is useful for database work, as well other things such as debugging scripts. I can guarantee you that most Linux/Unix developers will always prefer to work directly at the command line level when they are doing these type of tasks. However, I will admit I have not used any control panel so maybe it is an acceptable alternative. I may sign up for your plan for a test run to try it out. As I said, everything else you guys offer looks really good.

    Also, you said:

    "Well, phpMyAdmin may not be able to restore a 300 mb database, but you can upload it your FTP account, talk with tech support over live chat right away and get the database restored within 15 minutes."

    You mentioned live chat. However, I believe that chat is not available to end users. Is that correct? If it is, then that would be a nice support feature.

  22. #22
    Join Date
    Dec 2004
    Location
    San Francisco, CA
    Posts
    1,905
    SSH may be prefered by some developers, but I can assure you that debugging and database work can all be performed via the CP and FTP. Only in the case of very large databases, you may need help from support to restore or dump it....

    LiveChat is available only to direct customers. Your end-users would need to put in a ticket but we usually get back to such tickets in 30 minutes at the most
    init.me - Build, Share & Embed

    JodoHost.com - Windows VPS Hosting, ASP.NET and SQL Server Hosting
    8th year in Business, 200+ Servers. Microsoft Gold Certified Partner

  23. #23
    Join Date
    Mar 2001
    Location
    Houston, TX
    Posts
    972
    As Yash mentions, a lot of the tasks that SSH is needed for can be accomplished through control panels. The reason why many need SSH access is because it makes it more convenient to make batch file permission/ownership changes. Instituting a practice of requesting government-issued ID is slowly becoming more and more important as SSH access in the wrong hands can be dangerous if not monitored closely.

    Roj
    Web Hosting? Been there. Done that.
    I am niyogi.

  24. #24
    Join Date
    Oct 2002
    Location
    EU - east side
    Posts
    21,913
    Access to the command line is useful for database work, as well other things such as debugging scripts.
    However, I don't think many hosts will be happy to hear you're testing/debugging scripts on their production servers, where hundreds of other customers' sites might be hosted.

  25. #25
    Join Date
    May 2004
    Location
    Lansing, MI, USA
    Posts
    1,548
    What we do is the following:

    Every request for access needs to include specific purpose for the access.

    If you have been with us less than three months, or if it is your first time getting ssh access, you can have ssh enabled for a period of time (under 3 hours), but then it is disabled again.

    If you have been with us for less than 6 months, you can set a timeframe to have ssh enabled (up to 30 days), provided you show good password practice.

    If you have been with us over 6 months and have proven good password practice, then we will enable ssh perminantly for you, but still recommend you do it on a timeframe to minimize the vulrnability of your account.

    This is also, of course, backed by a per-case basis where those who need constant access can get it immediately after signing up, for a legitmate purpose, photo ID and small one-time fee.

    This has worked out really well for us.
    Jacob - WebOnce Technologies - 30 Day 100% Satisfaction Guarantee - Over 5 Years Going Strong!
    Website Hosting, PHP4&5, RoR, MySQL 5.0, Reseller Hosting, Development, and Designs
    Powered By JAM - Professional Website Development - PHP, MySQL, JavaScript, AJAX - Projects Small & Large

  26. #26
    Join Date
    Mar 2001
    Posts
    1,434
    ssh access, if managed correctly by the host, is no less secure then not offering it at all. Sure, you can lock down PHP and make it almost unusable by many popular scripts, but what about perl? C? Java? Simple programs in these languages will allow almost any command to run anyhow, so denying ssh cart blanche is more of a "smoke and mirrors" security step (or there is a fundamental security problem to begin with).

    That is not to say give ssh to every account, as this opens up more ports and access points than necessary. But, IMNSHO, if a client wants ssh for a valid reason, granting them access will not affect your security if your servers are secure in the first place.

    - John C.
    (offering ssh for 9+ years with zero incidents because of this offering)

  27. #27
    Originally posted by ldcdc
    However, I don't think many hosts will be happy to hear you're testing/debugging scripts on their production servers, where hundreds of other customers' sites might be hosted.
    Yes, I agree scripts should not intially be tested on the production servers. They should be tested on the users local machines first. If after being fully tested on the users local machine they also work on the production servers as is, then that is great. If however they work in the local environment and not on the production servers, then there is no recourse but to test/debug on production servers as well. Even if both environments have the same OS's and are configured the same way, other slight differences in the two environments can cause different behavior. I see this happen all the time.

  28. #28
    Join Date
    Mar 2001
    Location
    Houston, TX
    Posts
    972
    Debugging scripts on production servers is a very common practice - especially with interpreted languages like PHP and Perl.

    Roj
    Web Hosting? Been there. Done that.
    I am niyogi.

  29. #29
    Join Date
    Dec 2004
    Location
    San Francisco, CA
    Posts
    1,905
    Originally posted by JohnCrowley
    ssh access, if managed correctly by the host, is no less secure then not offering it at all. Sure, you can lock down PHP and make it almost unusable by many popular scripts, but what about perl? C? Java? Simple programs in these languages will allow almost any command to run anyhow, so denying ssh cart blanche is more of a "smoke and mirrors" security step (or there is a fundamental security problem to begin with).

    That is not to say give ssh to every account, as this opens up more ports and access points than necessary. But, IMNSHO, if a client wants ssh for a valid reason, granting them access will not affect your security if your servers are secure in the first place.

    - John C.
    (offering ssh for 9+ years with zero incidents because of this offering)
    SSH access cannot be exploited if managed correctly, but SSH Access increases the potential security threat to your server., if you understand what I mean

    More access.. more potential for security issues, more potential for abuse. Many companies prefer to completely forbid foreign root access. We feel the extra risk is not worth it.

    The aim of any security policy is reduce the # of access points to the minimum, have as many security layers as you can and ensure your server is locked down to allow only the bare minimum.
    Last edited by Yash-JH; 06-06-2005 at 12:11 AM.
    init.me - Build, Share & Embed

    JodoHost.com - Windows VPS Hosting, ASP.NET and SQL Server Hosting
    8th year in Business, 200+ Servers. Microsoft Gold Certified Partner

  30. #30
    Join Date
    Mar 2001
    Posts
    1,434
    Originally posted by Yash-JH
    SSH access cannot be exploited if managed correctly, but SSH Access increases the potential security threat to your server., if you understand what I mean

    More access.. more potential for security issues, more potential for abuse. Many companies prefer to completely forbid foreign root access. We feel the extra risk is not worth it.

    The aim of any security policy is reduce the # of access points to the minimum, have as many security layers as you can and ensure your server is locked down to allow only the bare minimum.
    I understand what you mean, and it is your company's decision. But, allowing cgi scripts is just as dangerous as SSH access. People think with SSH banned, their servers are more safe, but in reality this is just not true. If a "hacker" were to get a user's username and password, they can just as easily upload a perl or c script via FTP and gain shell like access just as easily as logging in via shell.

    SSH is a valid and commonly used tool for more advanced developers and programmers, and with the proper monitoring and steps taken to ensure the server is truly safe, it is no more harmful than FTP or cgi scripts.

    - John C.

  31. #31
    Join Date
    Mar 2001
    Location
    Houston, TX
    Posts
    972
    I can completely understand Yash's POV on the subject - it's a policy that probably works quite well for them and, as such, they keep it in place. :-)

    Roj
    Web Hosting? Been there. Done that.
    I am niyogi.

  32. #32
    Join Date
    Oct 2004
    Location
    India
    Posts
    491
    Giving SSH access has been becoming a delicate issues nowadays as most of the people who got those have used it to do harmfull things to the host and there quality of services.

    However , IMHO if the hosting provider chooses to be strict on the athentication procedures and keeps a constant vigilance( even on a shared server that have too many accounts) on the accounts that are shell enabled the basic security policy is maintained then SSH access can be given. The permissions to the compilers can be kept to to a bare minimum and permisions to the wget and others can be given to a restricive touch.

    If the shell is going to be used to debug the code then these policies cant be that restrictive to the users as it can server the purpose of both the hosts and the clients. If the Hosts can have faith on their fast support and then even trnasfering of a big dumped db can be handled by the support desks of the hosts.

    If clients can understnad that these policies by the hosts are only there to make their own hosting experiences better along with the others in the same hosting family then the issue like SSH access becomes very easily understandble.

    Still granting SSH access literally becomes nightmare for many of the hosts. I have seen a few hosts to give SSH access only after a fee/yr. IMHO, it can be a good idea and can keep away script kiddies from doing malicious things on the server.

    .firestarter
    ESC :wq!

  33. #33
    Join Date
    Jun 2004
    Posts
    109
    Well, if the host takes some precautions, monitors the users activity and only allows SSH access for trusted users, I think mishaps can be avoided.


    If you are a developer, and you want to make some quick adjustments to your code, you could access your script via SSH and then make the changes you want, save it directly on the hosts's machine and then access the page via the browser...it makes life easier if you ask me

    So if you're a developer, or plan to develop a lot, SSH is your friend

  34. #34
    Join Date
    Mar 2004
    Location
    New Zealand
    Posts
    533
    There is another thing to consider. By disabling SSH you increase the likely hood that one of your customers will legitimatly install a "web shell" type system (such as http://freshmeat.net/projects/wsh/ ) in thier account in order to accomplish some tasks (all be it as the webserver user). With that comes the risk that one of those webshells is incorrectly secured, or has a vulnerability (much more likely than a vuln in SSH) which allows joe bloggs access to it.

    Essentially by locking down SSH you must increase the risk of somebody totally opening up your server for any old body to take a wander through. That is unless you cripple the server sufficiently to render any "web shell" type system inoperative.

    The old phrase "security through obscurity is no security at all" has meaning here.

  35. #35
    Join Date
    Oct 2004
    Location
    India
    Posts
    491
    There is another thing to consider. By disabling SSH you increase the likely hood that one of your customers will legitimatly install a "web shell" type system (such as http://freshmeat.net/projects/wsh/ ) in thier account in order to accomplish some tasks (all be it as the webserver user). With that comes the risk that one of those webshells is incorrectly secured, or has a vulnerability (much more likely than a vuln in SSH) which allows joe bloggs access to it.
    Even this can not cause harm if the sys admin knows the main php functions that can cause this to be happen.

    IMHO, the security guys must now start a separate package that can be named "PHP Security Hardening"

    PHP gave enormous power to the talented coders to write scripts that can do almost anything. Sys admin can tweak php to get those threats away too if and only if he has those knowledge.

    The old phrase "security through obscurity is no security at all" has meaning here.
    It still has values. However, we cant ingnore the smooth running of servers.

    SSH access can be given or should I rephrase, should be given to the clients and the security of the hosts should be maintaned too.

    It need , good intensions of clients and the knowledge of the sys admins of the webhosts.

    .firestarter
    ESC :wq!

  36. #36
    Join Date
    Mar 2004
    Location
    New Zealand
    Posts
    533
    Originally posted by firestarter
    Even this can not cause harm if the sys admin knows the main php functions that can cause this to be happen.
    What about perl, python, raw cgi, there are a number of ways other than SSH that a user can peruse the system and execute commands. A good sys admin has the system correctly secured so that an unprivileged user can't do anything *harmful*, that does not necessitate removing SSH and gives you no further security if you do.

  37. #37
    Join Date
    Mar 2001
    Location
    Houston, TX
    Posts
    972
    Our experience has been that unpatched/old versions of open-source PHP scripts are a bigger threat than ssh access grants. Keep 'em updated!

    Roj
    Web Hosting? Been there. Done that.
    I am niyogi.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •