What I don't get is why many ISPs don't allow ssh access to their boxes while at same time they allow you to run your own cgi scripts. If you can run arbitrary CGI then you can run arbitrary code on the server even without shell.
On similar note why SourceForge disallow SSH access to their CVS servers when they allow you to modify files in CVSROOT? If I can add commit and loginfo scripts there I can run arbitrary code on the server too.
For sysamins: better not waste your time on false security measures especially when it makes life of legimate users harder.
