Rehabilitate SSH access with application credentials
Rehabilitate SSH access with application credentials and not for only Master credentials.
In my case, we have our software, installed on our software, that connect via SSH to single application for launch some php script with php-cli.
Now, i can't give master password to our customer!
SSH Access for application has been reinstated. Users have now an option to enable and disable SSH for application.
For more details, please read the following KB
I really value this feature - thank you for reinstating. Is it still the case that application-specific SSH access allows read-only access to files of different applications living on the same server, or have you found a way to lock this down?
Cloudways, I've just signed up, was evaluating you to use for hosting, however, my customers will expect drush alias support, and naturally, it appears I can't offer this without giving people access to the whole server.
Surely there is a way to strike a balance between securing the server (and stop people browsing around other people's files), and allowing really useful tools like drush for executing remote commands?
Rex So commented
I face exactly the same problem and this doesn't make sense to me as well.
I'm quite unsatisfied with removing the flexibility to assign SSH access limited to one application.
In fact, one server can have multiple applications delegated to different developers. As a server administrator, I will never share my master credential to the others.
AdminCloudways (Admin, Cloudways) commented
Ignazio, this will not come back. If we give SSH access to application credentials we will have the same problem that we had before, that is that you could SSH with app specific credentials and see all files for all other apps.
One of the objectives of the change was precisely to fix this problem.
Before when you were giving application SSH/SFTP user to one of your customers, that user had read access to all other apps all the same. So other customers could access (not change, true) files/folders of other apps. So you were already giving access to all apps, same as if you share master creds now.
We will listen to what customers have to say, but as of now, many more people appreciate the fact that application credentials properly isolate apps between them than people missing the SSH capabilities for them.