Secure Shell (SSH) — also known as Secure Socket Shell (SSH) — users on the Nexcess Cloud have a particular setup and configuration concerning Nexcess web hosting administration that some customers may not be used to.
SSH user setup was done in such a way at Nexcess to help with ease of use for web hosting teams. This knowledge base article provides an overview of how SSH users are set up on the Nexcess Cloud infrastructure, so customers understand the specifics of our hosting environment better for the sake of server administration and teamwork.
Secure Shell (SSH) user setup differences between hosting plans at Nexcess
At Nexcess, the Secure Shell (SSH) user setup depends on your web hosting product and platform:
- On Managed WordPress (MWP)/Managed WooCommerce (MWCH) hosting plans, each website has its own individual SSH user.
- On all other Nexcess Cloud plans (Magento, Flex, etc.), each hosting plan has its own SSH user.
More about Secure Shell (SSH) connections
For this article, we will use the example website of “abc123.nxcli.net” and the example main account/site SSH user of “a123b4c5” for our use case illustration purposes. All files for our website example will be owned by the main account/site SSH user of “a123b4c5” in our demonstrative use case covered in this article.
Only the SSH user specific to our example domain above (in this example, SSH user “a123b4c5”) has complete control over the files/folders and can:
- Modify permissions for files/folders.
- Add and delete files/folders.
No customer can log in as this main account/site SSH user (the SSH user “a123b4c5 ” in our example).
Example of Secure Shell (SSH) users for each team member
Each team member on the plan will have their own SSH user. We have an example for you — see the output shown below.
This output is returned when a search has been run for all users in the /home folder that starts with the text string of “a123b4c5”:
Code snippet example output
The example above is for an account that has 14 team members. While each team member has their own SSH user account and home folder, none of those SSH users with an underscore and number in the username will own files on the site. The files on the site are all owned by the main account/site SSH user. In this example "a123b4c5” is the main account/site SSH user.
How connecting via Secure Shell (SSH) works per team member
Here is how connecting via SSH works per team member:
1. Let's say you want to log in as their individual SSH user (in this example, “a123b4c5_13”).
2. When you connect to the Nexcess Cloud host, a process at Nexcess looks up the corresponding main account/site SSH user for them, which is SSH user “a123b4c5” in our case. Specifically, “a123b4c5” is the main account/site SSH user to which the team member “a123b4c5_13” SSH user account belongs.
- This setup also allows each team member to have their own SSH password and SSH keys yet access the same files as the rest of the team.
3. Once authenticated by the server, a process looks up the requested user's information in an internal database at Nexcess.
4. If everything matches, the client is placed in a shell as the requested user (in this example, individual team member SSH user “a123b4c5_13”).
- It is almost like the additional team member SSH users are aliases of the main account/site SSH user.
The use case in this article is an extreme oversimplification of what happens, but hopefully, this helps get the point across of how SSH user accounts for web hosting team members are managed using the main account/site SSH user.
Secure Shell (SSH) Frequently Asked Questions (FAQ)
Cloud hosting as flexible as your business
We believe in the promise of cloud: scalability, security, performance, and ease of use. Together with our team, clients, and partners, we’ve built better cloud hosting.
Question: Can we create a temporary Secure Shell (SSH) user account for a customer to give, for example, to a developer?
Answer: Yes — in a way — by creating and then deleting a team member, this can be done. The customer can create a new team member via the Nexcess Client Portal found at my.nexcess.net. The team member creation creates a corresponding new SSH user by default.
The customer can then get the SSH credentials for that new user and provide that to their developer. Once their developer is done with their task, they can delete the team member, and, doing so will delete the corresponding SSH user account for that team member.
Question: Can a customer create a read-only Secure Shell (SSH) user on a Nexcess Cloud account?
Answer: No. All SSH users will have “read” and “write” abilities.
Question: Can you limit a Secure Shell (SSH) user account to accessing only one site?
Answer: Only on Managed WordPress (MWP)/Managed WooCommerce (MWCH) hosting plans. Since each website one of our MWP/MWCH plans is in its own segmented file system, those SSH users can only access that one site's file system.
On other plans like Magento, Flex, etc., the SSH user will have access to all the sites on that specific hosting plan.
Question: Can you limit the Secure Shell (SSH) user to a specific folder?
Answer: No. Each SSH user will have access to the files and folders owned by that user.
The closest thing to creating this kind of restriction on the Nexcess Cloud is to limit an FTPS user to a specific folder, but for some, that may not meet their goals.
Question: What if a Secure Shell (SSH) user with special/limited permissions is required?
Answer: On the Nexcess Cloud, that will not be possible, but on a bare metal dedicated server, that should be just fine. A review of the requested details should be discussed with the appropriate Nexcess support team.
Website security is important at Nexcess
- OpenSearch vs. Elasticsearch for Magento 2 stores
- How to pay an invoice online with account credit
- How to check your credit balance and billing credits