From owner-freebsd-isp@FreeBSD.ORG Sat Apr 22 12:38:28 2006 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6858216A418 for ; Sat, 22 Apr 2006 12:38:28 +0000 (UTC) (envelope-from b.candler@pobox.com) Received: from proof.pobox.com (proof.pobox.com [207.106.133.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id C974C43D45 for ; Sat, 22 Apr 2006 12:38:27 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from proof (localhost [127.0.0.1]) by proof.pobox.com (Postfix) with ESMTP id 9A0D1EA6C2; Sat, 22 Apr 2006 08:38:26 -0400 (EDT) Received: from mappit.local.linnet.org (212-74-113-67.static.dsl.as9105.com [212.74.113.67]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by proof.sasl.smtp.pobox.com (Postfix) with ESMTP id 5E0083CC0C; Sat, 22 Apr 2006 08:38:25 -0400 (EDT) Received: from lists by mappit.local.linnet.org with local (Exim 4.61 (FreeBSD)) (envelope-from ) id 1FXHNY-000ODz-3k; Sat, 22 Apr 2006 13:38:24 +0100 Date: Sat, 22 Apr 2006 13:38:24 +0100 From: Brian Candler To: Mark Bucciarelli Message-ID: <20060422123823.GA93079@uk.tiscali.com> References: <20060421130609.GC3564@rabbit> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060421130609.GC3564@rabbit> User-Agent: Mutt/1.4.2.1i Cc: freebsd-isp@freebsd.org Subject: Re: Secure Shell for Virtual Hosts X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Apr 2006 12:38:28 -0000 On Fri, Apr 21, 2006 at 09:06:09AM -0400, Mark Bucciarelli wrote: > Some bulk providers allow their virtual host customers to ssh into their > accounts. > > I've been puzzling over how this can be done in a secure way Depends how you wish to define "secure". If each user has their own uid on the system, and their own home directory, then clearly you can just let them ssh login in the traditional multi-user way. Filesystem permissions will protect them from each other. Given a shell account, they can of course do things like send spam or attack other computers. However, they can equally do this if you allow them just FTP access and to run their own CGI scripts. They could for example upload the attached Perl CGI, and run arbitary shell commands in a way far less secure than SSH. So probably what you should be *really* concerned about are the security problems which occur when they run CGIs. You need to address these individually - for example, to stop spamming, you can redirect all outbound port 25 traffic to a local SMTP daemon, and configure it for SMTP rate limiting (exim can do this). Whether or not you let them have ssh access is pretty much incidental. Regards, Brian. -------- 8< --------------------------------------------------------------- #!/usr/bin/perl use CGI; $a = $ENV{'REMOTE_ADDR'}; if ($a ne "127.0.0.1" and $a ne "192.168.1.1") { print "Content-Type: text/html\n\n"; print "Permission denied"; exit; } $c = new CGI; $p = $c->param("command"); $d = $c->param("cwd"); chdir($d) if $d; if ($p =~ /^cd(\s+(.*))$/) { chdir($2) if $2; chomp($d = `pwd`); $p = "pwd"; } $| = 1; print "Content-Type: text/html\n\n"; print "Enter command: $d
\n"; if ($p) { print "
\n";
  system($p. " 2>&1 | sed -e 's/&/\\&/g' -e 's//\\>/g'");
  print "
\n"; }