Ssh
- Thread starter dangul
- Start date
tillo
Verified User
If the user is set up with SSH, I'm almost sure he can't deny himself access.
I can think about a little workaround though, accessible from DA's File Manager: the user can backup the existing .bashrc and put one containing just the word "logout" instead.
Anyway it's best to ask the reseller/admin to deactive SSH from DA.
I can think about a little workaround though, accessible from DA's File Manager: the user can backup the existing .bashrc and put one containing just the word "logout" instead.
Anyway it's best to ask the reseller/admin to deactive SSH from DA.
tillo
Verified User
That's quite simple.
Just enter /etc/skel (for debian, search "home skel distname" in google for other distributions), move ".bashrc" to ".bashrc_active" and create a new ".bashrc" containing "logout".
Every new user account will then have a denied SSH access and just need to overwrite ".bashrc" with ".bashrc_active" if they need it.
Of course if the admin/reseller deny access from the DA panel, it won't be able to login anyway.
The feature I think would be nice is a button in the GUI that enable/disable SSH access...
We permit SSH access for all our customers and it really would be nice if SSH is disabled when the account is new and the users wount need it... When they need it, they only enable it...
But that wont be the most important feature either... Just a nice one...
//Daniel
We permit SSH access for all our customers and it really would be nice if SSH is disabled when the account is new and the users wount need it... When they need it, they only enable it...
But that wont be the most important feature either... Just a nice one...
//Daniel
Last edited:
tillo
Verified User
@floyd: I think you misunderstood the real topic of this thread.
The author wants an opt-in (default off) feature for the SSH access, where the user has the choice to activate/deactivate his SSH access, of course only if the admin/reseller gives him the access.
I think that this would be an important security feature. Many users won't use SSH even if permitted, and any open access can potentially be a security threat.
This way, even when permitted, the user has to activate the access himself if he really wants to use it.
The author wants an opt-in (default off) feature for the SSH access, where the user has the choice to activate/deactivate his SSH access, of course only if the admin/reseller gives him the access.
I think that this would be an important security feature. Many users won't use SSH even if permitted, and any open access can potentially be a security threat.
This way, even when permitted, the user has to activate the access himself if he really wants to use it.
floyd
Verified User
- Joined
- Mar 29, 2005
- Messages
- 6,255
I am sorry, I thought this was the General Discussion section and not the Feature Request section. Oh it is the General Discussion section. That means the idea can be discussed.
I know what the OP wants and I am saying in my opinion its a bad idea. I thought he put it in this section so that he could get feedback as to whether its a good idea or not.
If he still wants it included in DirectAdmin he is free to put it in the Feature Request section.
I know what the OP wants and I am saying in my opinion its a bad idea. I thought he put it in this section so that he could get feedback as to whether its a good idea or not.
If he still wants it included in DirectAdmin he is free to put it in the Feature Request section.
tillo
Verified User
Sorry, your last post made me think that you didn't understand the topic, but I was wrong; you just omitted the explanation.
Can you please explain why it would be a bad idea? I can't see any reason, beside the fact the users could be annoyed by having to activate the SSH access once received the account.
Of course the admin/reseller could choose whether it's an opt-out instead of an opt-in, solving the problem.
Can you please explain why it would be a bad idea? I can't see any reason, beside the fact the users could be annoyed by having to activate the SSH access once received the account.
Of course the admin/reseller could choose whether it's an opt-out instead of an opt-in, solving the problem.
floyd
Verified User
- Joined
- Mar 29, 2005
- Messages
- 6,255
ssh allows for users to do a bunch of things they cannot normally do. Some are good things and many are bad. They can try to gain root access easier or break into other users areas.
The key issue is whether the user is known or unknown. Many companies allow users to signup and have immediate access. I know I do. Do I want those users to also have ssh access, absolutely not.
If a user is established and asks for ssh access then no problem. At that point maybe a user can be allowed turn on and off ssh for themselves. But unknown users should never be allowed ssh access. If you allow it then you have unlocked one door of your security system.
Most people who really need ssh access can pay for a vps and have total control over their system.
The key issue is whether the user is known or unknown. Many companies allow users to signup and have immediate access. I know I do. Do I want those users to also have ssh access, absolutely not.
If a user is established and asks for ssh access then no problem. At that point maybe a user can be allowed turn on and off ssh for themselves. But unknown users should never be allowed ssh access. If you allow it then you have unlocked one door of your security system.
Most people who really need ssh access can pay for a vps and have total control over their system.
tillo
Verified User
Then maybe you did misunderstand the topic, or I have. 
As far as I have understood, this feature would be for people that have SSH in their package. It's for customers that pay for the SSH service, and with the actual configuration they will have it activated by default. What's asked here is just to make the user choose directly if he really wants it or not.
Of course that option would not be accessible if the user's package has the SSH login deactivated.
As far as I have understood, this feature would be for people that have SSH in their package. It's for customers that pay for the SSH service, and with the actual configuration they will have it activated by default. What's asked here is just to make the user choose directly if he really wants it or not.
Of course that option would not be accessible if the user's package has the SSH login deactivated.
floyd
Verified User
- Joined
- Mar 29, 2005
- Messages
- 6,255
I am saying that it is a bad idea to arbitrarily do this by default.
I am saying the administrator needs to approve ssh specifically for the user first.
dangul has indicated here (whether he meant to or not) that he allows ssh for all his customers by default and wants them to be able to turn off ssh if they don't need it.
His first post:
So he enables ssh at the package level not the per user level. So all users that signup for this package get ssh. That is a bad idea unless he can somehow verify that they are trusted users.
tillo
Verified User
I completely agree with you on that.
nobaloney
NoBaloney Internet Svcs - In Memoriam †
If every DirectAdmin administrator understood the ramifications of allowing ssh access by default, then I'd say, okay, it's a good idea. However if it's one thing we've learned over and over again in these forums it's that many DirectAdmin users have no idea of any of the issues involved in maintaining a shared hosting server. So I say I'm against it. However, my word certainly isn't law; it's just my opinion.
Jeff
Jeff
LawsHosting
Verified User
My 2p's worth....... if its a shared server, then allowing access is like leaving your front door open after you go out.........
this option should be allowed for a dedi or vps (eugh) imho.....
this option should be allowed for a dedi or vps (eugh) imho.....
Ok, I agre on that you have to trust your users but in our case we can do that...
The SSH also is jailed so the users can´t do whatever they want either so I really don´t se the problem..
This would be a option so if you don´t want that you shouldnt enable it...
This would be a further development of the SSH jail feature in DA.
//Daniel
The SSH also is jailed so the users can´t do whatever they want either so I really don´t se the problem..
This would be a option so if you don´t want that you shouldnt enable it...
This would be a further development of the SSH jail feature in DA.
//Daniel