WHM with no root login
We're looking to implement very strict PCI compliance rules and one of them is to remove root logins completely. I'd like to know if there's a way to log in to WHM without using the root/rootpw as the 'root' user. For example via SSH we can use SSH keys - is there an equivalent we can setup for WHM access?
I would also like more information on this, Most hackers these days instantly know whm is user ROOT - Shame it cannot be changed, Or if it can then please inform us.
Yes as I would like to know this too. Is there a way to use a key file for WHM login?
You are able to and is suggested, IMHO, to create a reseller account with access/permission to work inside WHM and not use root unless absolutely needed. This is a smart idea.Originally Posted by nimrodx
I'm not sure you can remove root users access to WHM though, and I'm also not sure of the PCI compliance rules for root user and WHM login.
The problem with that is the root account still remains active and if the root pw is known, user 'root' can login.
I need full root access via WHM.. but without an actual root login with 'root' and the root PW.
What about the new security policy features in 11.28 - will this allow for any kind of manipulation of root login?
As for having a secondary root account, you can create a cPanel user with a fake domain (e.g. example.com) and then promote them to Reseller with root privileges. This gets that account full root-level access to WHM without logging in as user root.
With 11.28's Security Policy functionality, you can essentially limit the IPs that can access any account, including root. So if an IP is not authorized, it must know the answers to several security questions before a login can be successful on that username, even if you know the password. This significantly reduces the liklihood of a root login, especially by means of brute forcing.
For cPanel Partner NOCs, this is essentially identical to the Manage2 system you are familiar with.
Further manipulation of logins will be possible when the Pluggable Authentication system is implemented in a later version of cPanel/WHM.
Hi David,
That's getting closer to what I'm after. I actually had to use the 5-question verification process this morning for another issue as I'm on site.
Is there any further information available for this new pluggable authentication system? I realise it's for future releases however it may influence how I react at the moment. With over 100 servers to work on.. I'd like to reduce duplicate work as much has possible!
Pluggable Authentication is targeted to version 11.32, so documentation for it is not yet available.Hi David,
That's getting closer to what I'm after. I actually had to use the 5-question verification process this morning for another issue as I'm on site.
Is there any further information available for this new pluggable authentication system? I realise it's for future releases however it may influence how I react at the moment. With over 100 servers to work on.. I'd like to reduce duplicate work as much has possible!
Basically, we're adding an authentication layer that anyone can plug into. This is designed to let folks use alternative authentication methods like LDAP, key authentication etc. for authenticating into services on a cPanel/WHM server. However, if you wanted to build a plugin that intercepted direct logins for user root into WHM or cPanel and always denied them, you could once this system is implemented.
EDIT: You can track the progress of this feature at: http://forums.cpanel.net/f145/whm-pa...on-154665.html
Last edited by cPanelDavidG; 09-01-2010 at 10:51 AM. Reason: Link to Pluggable Authentication feature request
Hi David,
Thanks for that. Interesting reading and I'll follow it closely
LinkBack URL
About LinkBacks
Reply With Quote