SOLVED [CPANEL-26566] Security Advisor's PermitRootLogin check is inaccurate

SJR

Active Member
Jan 2, 2017
27
3
3
USA
cPanel Access Level
Website Owner
Just did cPanel upgrade to v80.0.9. Immediate issues I observed:

1) Security Advisor shows 'SSH direct root logins are permitted' and suggests 'Manually edit /etc/ssh/sshd_config and change PermitRootLogin to “without-password” or “no”, then restart SSH'.
Note: my sshd_config was set to 'no' prior and got changed to 'yes'. I just changed file to 'no' and restarted SSH and same warning in Security Advisor still shows.

2) SSH Password Authorization Tweak was set to 'disabled' prior and got changed to 'enabled'. I changed back to 'disabled'. Regardless of either setting, Security Advisor shows green check as 'disabled'.

I'm concerned that during upgrade, some security settings have been set to less secure settings.

I have rebooted server twice. No changes.

Advice anyone?

Thanks.

Mod Edit Note: The third-question was moved to a separate thread.
 
Last edited by a moderator:

thanasis

Well-Known Member
Nov 24, 2017
67
3
8
Greece
cPanel Access Level
Root Administrator
Hello,
I did the upgrade to cPanel v80.0.9 and after that i saw this:

SSH direct root logins are permitted.
Manually edit /etc/ssh/sshd_config and change PermitRootLogin to “without-password” or “no”, then restart SSH in the “Restart SSH” area

I did it, i set it to "no".

After this i can't loging via SSH, i have the error "Access Denied".

How can i fix it ?

Im using PuTTY client.
 

Infopro

Well-Known Member
May 20, 2003
17,113
507
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
The autofixer shoud get you back in:
How to Secure SSH - cPanel Knowledge Base - cPanel Documentation
AutoFixer - cPanel Knowledge Base - cPanel Documentation
If you accidentally misconfigure your SSH configuration file, navigate to the following link in your web browser (where example.com represents the server's hostname or main IP address):


Code:
https://example.com:2087/scripts2/doautofixer?autofix=safesshrestart
This script attempt to will temporarily configure an additional SSH configuration file for port 22, which will allow you to access, edit, and fix the original SSH configuration file. If another service or daemon uses port 22, the script will configure an additional SSH configuration file for port 23.
 
  • Like
Reactions: thanasis

thanasis

Well-Known Member
Nov 24, 2017
67
3
8
Greece
cPanel Access Level
Root Administrator
As i checked the "without-password" allows root login only with public key authentication.
And the "no" “ root is not allowed to log in.
Am i right?

Also, i did a manually edit /etc/ssh/sshd_config and changed PermitRootLogin to “without-password” and i did a “Restart SSH” ....
but at cPanel Security Advisor i see again "SSH direct root logins are permitted"

What is my mistake ?
 

Attachments

Dougrun

Member
Sep 18, 2015
6
2
3
SLO, CA
cPanel Access Level
Root Administrator
I am also getting the security advisor error that root logins are permitted but my config file already has PermitRootLogin no. I even tried rebooting and the notice still appears. v80.0.9
 

Infopro

Well-Known Member
May 20, 2003
17,113
507
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
Also, i did a manually edit /etc/ssh/sshd_config and changed PermitRootLogin to “without-password”
I am also getting the security advisor error that root logins are permitted but my config file already has PermitRootLogin no.
These are conflicting comments if I'm understanding you correctly.
 

thanasis

Well-Known Member
Nov 24, 2017
67
3
8
Greece
cPanel Access Level
Root Administrator
I had this error "
Manually edit /etc/ssh/sshd_config and change PermitRootLogin to “without-password” or “no”, then restart SSH in the “Restart SSH” area" at at cPanel Security Advisor.
Now at v80.0.10 is OK.
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,902
2,227
363
cPanel Access Level
DataCenter Provider
Twitter
Hello Everyone,

1) Security Advisor shows 'SSH direct root logins are permitted' and suggests 'Manually edit /etc/ssh/sshd_config and change PermitRootLogin to “without-password” or “no”, then restart SSH'.
Note: my sshd_config was set to 'no' prior and got changed to 'yes'. I just changed file to 'no' and restarted SSH and same warning in Security Advisor still shows.
Case CPANEL-26566 was published as part of a Security Advisor update with version 80.0.10 to address the issue issue where Security Advisor did not accurately determine how 'PermitRootLogin' was configured in the system's /etc/ssh/sshd_config file.

2) SSH Password Authorization Tweak was set to 'disabled' prior and got changed to 'enabled'. I changed back to 'disabled'. Regardless of either setting, Security Advisor shows green check as 'disabled'.
Case CPANEL-25755 was published as part of a Security Advisor update with version 80.0.10 to address the issue issue where Security Advisor did not accurately determine the status of WHM >> SSH Password Authorization Tweak.

Thank you.

Note: The "filesystem quotas are currently disabled" question was moved to this thread.