ssh access

4 posts / 0 new
Last post
#1 Wed, 01/30/2008 - 03:46
Maurizio1230

ssh access

Hi all,

I try to login via ssh with a normal user name (not root) and this user can access to all the server directories in /. How can I limit its privileges? I don't find anything in Webmin-->Server-->SSH.

Thanks

Wed, 01/30/2008 - 13:44
Blueforce

Hi Maurizio1230,

This have been discussed in many threads in the forum. If you search the forum you will find info about this.

Here are some threads

[url=http://www.virtualmin.com/index.php?option=com_fireboard&Itemid=77&a... 1[/url]

[url=http://www.virtualmin.com/index.php?option=com_fireboard&Itemid=77&a... 2[/url]

[url=http://www.virtualmin.com/index.php?option=com_fireboard&Itemid=77&a... 3[/url]

Regards,
Leif

Thu, 01/31/2008 - 08:56 (Reply to #2)
Maurizio1230

<div class='quote'>3. But SSH users can see/download (although cannot delete) all other (system) files on the server!!??

++++++++++++++++++++++++++++++++++++++++++++++++++++++

That is true. And there is nothing you can do about it. If you have unencrypted passwords in any of the system directories, it can be viewed by any SSH users.

Jamie: &quot;The Unix shell commands you run via SSH need access to /etc, /usr and other system directories to run.. so there is no way to set the permissions globally to make them unreadable.&quot;

Jamie: &quot;Make sure all files containing security-critical information like passwords are readable only by root, or encrypted. This is actually the default on all Unix systems - /etc/shadow for example contains encrypted passwords and can only be read by root.&quot;</div>

Whatt? Is it impossible to allow some users to see only their home files?

Fri, 02/01/2008 - 06:32 (Reply to #3)
Joe
Joe's picture

<div class='quote'>Whatt? Is it impossible to allow some users to see only their home files?</div>

Yes, on a shared hosting system, that is correct. Even if you were to chroot their ssh access (which has negative security consequences), any scripts the web server runs will have the ability to see the rest of the system.

The key here is that this is fine. UNIX and Linux has been visible in this way for over 30 years. I don't think picking fights with Dennis Ritchie or Linus Torvalds is a productive use of our time. ;-)

--

Check out the forum guidelines!

Topic locked