webhosts and (lack of) SSH access
This may be true for SSH per se, however, as most experienced scripters would now, it is quite easy to concoct a shell-like environment using technologies that webhosts invariably offer anyway. For example, a simple Perl script in cgi-bin could execute commands and display their output, thus acting as shell, albeit much less secure than SSH. So, since as a host you have to allow all the essential web technologies, adding SSH won't constitute an additional threat for you.
One is tempted to think that SSH-deniers don't really understand the technologies involved, have heard somewhere that "providing SSH is a security risk", and decided to drop it. This might be a bit naive though, considering the number of respected providers that don't offer SSH. So what could be the reasons for refusing SSH access then?
One of the hosts I contacted told me that this measure was not meant so much to counter real hacking attempts; it was the script kiddies they were scared of, with all the premade tools assuming shell access and without the obvious amount of creativity required to fulfill another type of attack. While I find this reasoning alone quite doubtful, I have actually been able to find a lot of premade "CGI shells" out there, just waiting to be downloaded by script kiddies (or frustrated clients, trying to compile their Perl modules). Thus, this "security-through-obscurity" argument doesn't sound very likely, even if we assume security through obscurity worked nicely.
Perhaps then, it could be the support issue? Supporting SSH itself doesn't amount to much really, but with the convenice it provides for so many tasks, you are likely to end up with higher-demanding customers on average if you offer it, since they will be looking specifically for it. On the other hand, if you don't offer SSH, customers whose needs grow will move, thus leaving you with "sweet-spot clients" paying their $X/mo. and being lumped on your servers by the hundreds. You can offer mind-boggling traffic for the buck and few will utilize it. I have no experience in hosting and would like to ask if such a strategy (and answer to the question) seems possible?
The third alternative I can think of is that these SSH-deniers are actually quite clever people, implementing things like advanced script-crippling, such as selective prohibition of exec calls, in order to make things such as the "CGI Shell" ineffective. (Note: I'm not talking about language-specific security features here, like disabling system() and such. These would be useless if true CGI is offered.)
I would very much appreciate it if someone could shed light on this whole issue...
