Cpanel Technician Access

**dwinans** · 10-19-2009 04:00 PM

Currently we are working on developing a process to give cpanel technicians access to our servers. We are trying to avoid giving out root passwords, as we do not want to have to change them every time we submit a ticket to Cpanel and allow them access to our servers to troubleshoot an issue.

My question is, are there any problems with providing another method other than simply giving out the root password?

For example, creating a standard user that can su to root, then give the login information for that account?

**Spiral** · 10-19-2009 04:15 PM

Originally Posted by dwinans

Currently we are working on developing a process to give cpanel technicians access to our servers. We are trying to avoid giving out root passwords, as we do not want to have to change them every time we submit a ticket to Cpanel and allow them access to our servers to troubleshoot an issue.

My question is, are there any problems with providing another method other than simply giving out the root password?

For example, creating a standard user that can su to root, then give the login information for that account?

If you did that via SU, you would still need to give out the root password and having an open account with root privileges or escalation capable
(same thing) would be unwise unless you are really sure you can trust the technician and even then would probably change the password now and then but that brings you back to square one.

There are other methods to accomplish what you ask though which would allow you a lot more security that what you describe and still allow you to keep your root password separate. I personally have root access to probably darn near at least half of the hosting providers and data centers out there but then I'm pretty well known and widely trusted and for good reason. If you want to setup something similar (not the same though for security) as what I use with my clients, I can certainly help assist you with that.

**TheSidewinder** · 10-20-2009 12:29 AM

Use AuthKey to access SSH, rather than password auth, if that's an option for you. The root password isn't needed then.

Puttygen is a good key generator. I use it.

**Spiral** · 10-21-2009 10:29 AM

Originally Posted by TheSidewinder

Use AuthKey to access SSH, rather than password auth, if that's an option for you. The root password isn't needed then.

Puttygen is a good key generator. I use it.

I follow where you are going with that but I didn't mention that as I don't think this falls totally in line with what the user was asking!

If I understand them correctly, they want to be able to give server technicians or specialists like myself full access but don't want to have to change the root password each time or leave the system open.

Theoretically, yes they could issue additional root level certificates and disable access on those when the technician was offline but then that would expend the same effort as changing their root password plus there is the added issue of "What if the issue requires WHM login?" in which case you are right back to square #1 because the technician would need
the root password unless you want to also take the time to setup a root
level reseller for that purpose but again that brings you back to the
extra effort it sounds like this user is wanting to avoid yet keep security
tightened down as securely as possible.

**Daniel.L** · 10-21-2009 11:04 AM

Originally Posted by Spiral

I follow where you are going with that but I didn't mention that as I don't think this falls totally in line with what the user was asking!

If I understand them correctly, they want to be able to give server technicians or specialists like myself full access but don't want to have to change the root password each time or leave the system open.

Theoretically, yes they could issue additional root level certificates and disable access on those when the technician was offline but then that would expend the same effort as changing their root password plus there is the added issue of "What if the issue requires WHM login?" in which case you are right back to square #1 because the technician would need
the root password unless you want to also take the time to setup a root
level reseller for that purpose but again that brings you back to the
extra effort it sounds like this user is wanting to avoid yet keep security
tightened down as securely as possible.

If you setup a SSH user that can sudo to root, the cPanel techs could make a copy of the shadow file, change the root password to let them into WHM then move the shadow file back to set the root password back to what it was.

Does that accomplish what you (the OP I guess) wants?

In that case the only thing you would have to worry about is a user changing a password while the cPanel techs are working on the server and it getting reverted, but cPanel's team normally are very quick in my experience.

**cPanelSean** · 10-21-2009 04:14 PM

Hello,

We can send you an ssh key to install if you don't want to give us your password but unfortunately, we will always need the root password to login to WHM. The best procedure for this is usually for you to set a temporary root password that you change back to your regular password after we're done working on your machine.

LinkBack

Thread Tools

Cpanel Technician Access

temporary passwords are preferred for this