Root Password Problem

[emaster]

I have just as a security measure changed root password. I have the password written down and the program I generated the password from says I am entering the correct password but it will not let me login as root either in whm or ssh...

Please can anyone help.

[chirpy]

The only thing you can do is to contact your datacenter and have them connect via the console and have them reset your root password for you, it cannot be done remotely.

I'd then advise that you research using key authentication for SSH login to the root account to avoid that problem in the future.

[emaster]

Hi Chirpy

Thanks for your help...I am seeing if the datacenter can do that for me as we speak..

Gary

[astopy]

I'd then advise that you research using key authentication for SSH login to the root account to avoid that problem in the future.

In my opinion it would be better to disable remote root login altogether, and instead use sudo so the root password is never needed.

[sawbuck]

In my opinion it would be better to disable remote root login altogether, and instead use sudo so the root password is never needed.

The advantage of not having to su to root all the time, by allowing a single IP to connect to a second SSH daemon using key authentication on an uncommon port, makes many server tasks a whole lot easier.

[chirpy]

Indeed. Key authentication is leagues more secure than any password based system, especially sudo. Once you start allowing non-priv users to do priv operations you're simply opening yourself up for more trouble. With key authentication enabled and password access disabled you're only realistic next level of access security would be to use port knocking with key authentication.

[astopy]

My way of thinking is that if it is not possible to login directly as root, and only key-based authentication is allowed, then an attacker would have to guess the username of the account you use as an admin, crack your public key and crack your password in order to authenticate with sudo. To me this seems more secure than simply requiring a key to login as root, even if you do have a second daemon running (it would not take long for a determined attacker to find it, no matter which port you put it on).

[chirpy]

I wouldn't disagree with that, on the proviso that the alternative account is not a cPanel account Having said that, cracking an SSH key if you only have root key authentication enabled would be no mean feat.