ASSS Questions - SSH security for ASSS Altec - Thu Aug 24, 2006 1:02 pm Post subject: SSH security for ASSS
Got a few Q's for you as3 guru’s ïŠ
I plan to start hosting as3 for certain zones. I got as3 to work, but need help in other areas.
1) Does a zone owner need SSH or will FTP sifice?
If SSH is needed, how to does one properly give said user proper SSH access. I understand how to give a user SSH, but don’t know if I am doing it right to make sure the system is secure.
2) Are there any scripts out there where said user can start/stop a zone with/without SSH?
Thanks guys.
Dr Brain - Thu Aug 24, 2006 3:12 pm Post subject:
0.) It's called asss.
1.) Yes, they need SSH. Take a look at grel's adminsh program.
2.) No.
Altec - Thu Aug 24, 2006 4:07 pm Post subject:
mmk...where can i find this grel's program?
Dr Brain - Thu Aug 24, 2006 4:30 pm Post subject: http://asss.yi.org/asss/home/source/ and use asss.adminsh instead of asss.asss.main
Grelminar - Fri Aug 25, 2006 3:22 am Post subject:
In theory, you can do anything you need to with ?putfile and ?recycle, assuming you have processes in place to monitor the asss process and restart it when required. But in practice zones crash or deadlock, and you need an out-of-band way to kill and restart the zone. And administration with ?putfile is really painful, and if you want to have happy owners, you should give them SFTP/SCP access.
adminsh is an alternate login shell, plus a set of scripts that make it easy to set up zones in chroot environments. Chrooting increases security by making it impossible for one zone to affect others (assuming you set it up right, which isn't easy). Being an alternate login shell means that it gives owners the ability to do only very specific commands (start/stop their zone, send messages, view log files, and a few more), but _not_ full shell access. This is weak security, though, since if they can ?putfile, they can run arbitrary code on your server (this is where the chroot helps). adminsh also provides automatic restarting after crashes and ?recycle.
I would recommend setting up adminsh for basic tasks, and if you trust your owners and they are knowledgeable in basic unix usage, you can also give them full shell access, which comes in handy sometimes.
Fully securing a machine against users with shell access (or ?putfile/?insmod access) to a machine is difficult (or maybe impossible, depending on your requirements). The chroot that adminsh helps you set up is just a starting point.
Animate Dreams - Fri Aug 25, 2006 10:40 am Post subject:
I don't suppose someone would like to make a wiki detailing these things? I'm not officially hosting zones(yet), but since AS3 hosting at the moment is sparse and being very well, um... protected, I've offered to host a couple people's dev zones on my own Linux computer. And in the future, I may get space on a real server, so I'd REALLY have to worry about security then. Although, I'd be willing to bet this is more of a Unix thing than it is an AS3 thing, so I'm going to go see if I can find anything helpful, and if the rest of you have any good websites for this, just post them here.
Cyan~Fire - Fri Aug 25, 2006 4:57 pm Post subject:
There already is a wiki, go ahead and put the info there. (The link is near the top of this page.)
Animate Dreams - Sat Aug 26, 2006 1:11 am Post subject:
I meant a specific wiki page on asss security.
Altec - Sat Aug 26, 2006 8:59 am Post subject:
Ok, I found a way to give someone SSH access. However the problem I'm running into know is what that person has access to.
Is there a way to lock them into there folder so they can only view there content and not the whole system?
Thanks.
Dr Brain - Sat Aug 26, 2006 9:12 am Post subject:
Yes, it's called chroot and is part of what grel was talking about.