Security

[hexadomain]

Hello,
I have a security question
I want when a ssh enabled user logins via ssh can not see os related files and folder for example normal users can not see or read /etc directory and all filesmfolders in it
Is there a way on a directadmin server?

 

[scsi]

http://help.directadmin.com/item.php?id=90

 

[nobaloney]

Any good/bad expriences with using jailed ssh? I'd like to know what others think before I start implementing it on my servers.

Thanks.

Jeff

 

[hexadomain]

cant we just adjust what i needed with UNIX permissions?!

 

[hexadomain]

cp: cannot create regular file `/home/novalidip/usr/lib64/perl5/CORE/libperl.so': No such file or directory
cp: cannot stat `/usr/local/directadmin/custombuild/jail/su': No such file or directory


and still user can see /etc and etc

 

[Arieh]

The jailed SSH option is always very buggy I believe.

Personally I would recommend using CloudLinux, they specialize in this stuff.

 

[scsi]

Yeah but its not free so its stupid. Paying a monthly fee is unacceptable.

 

[Arieh]

Well it's always your own choice, they've made a whole company out of it, many features all made for shared hosting. Although I like that DA offers life time subs you also know DA is almost the only one out there who does that.

It would be best if DA could provide everything CL does, but in order to do that they would probably have to start asking monthly fees as well.

 

[zEitEr]

You might want to try this lshell:

https://github.com/ghantoos/lshell

Jailed SSH provided by Directadmin was tested by us, and we did not found it any good.

 

[nobaloney]

This doesn't look as if it will actually jail. Will it?

Jeff

 

[zEitEr]

Right, that is not a jail, but a shell.

lshell is a shell coded in Python, that lets you restrict a user's environment to limited sets of commands, choose to enable/disable any command over SSH (e.g. SCP, SFTP, rsync, etc.), log user's commands, implement timing restriction, and more.

 

[nobaloney]

Why doesn't someone write a shell with a built-in jail capability. Juas proftpd can't go outside a certain path, it should be possible to write a shell which can't either.

Should this be a feature request ?

Yes, but not for DirectAdmin forums.

Jeff

 

[zEitEr]

Please feel free to do it. We don't need it. Why would ever a user on a shared hosting server need SSH access?!

We don't give SSH access to our customers, and servers under my maintenance usually do not share SSH access with regular users. So we do not need it. There was only one case which I recall when I needed to give a SSH access. It was a PHP developer and he had to work with SVN. And in the case we used lshell.

 

[Arieh]

If you have many developers as customers ssh is indeed very useful. They want to use svn/git and download archives and extract them etc.

 

[zEitEr]

Right, developers might really need it, and in my practise that's rather rare case. You might have another opinion and expirience, and I respect it. I specialise in shared hosting, and none shared hosting user has ssh access in my practise. Still in our office PHP coders have lshell access when they need ssh. And lshell is rather good for it, I'd rather say, as you can control a list of commands which a specified user can run.