The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Cpanel Technician Access

Discussion in 'General Discussion' started by dwinans, Oct 19, 2009.

  1. dwinans

    dwinans Member
    PartnerNOC

    Joined:
    Jan 23, 2009
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Currently we are working on developing a process to give cpanel technicians access to our servers. We are trying to avoid giving out root passwords, as we do not want to have to change them every time we submit a ticket to Cpanel and allow them access to our servers to troubleshoot an issue.

    My question is, are there any problems with providing another method other than simply giving out the root password?

    For example, creating a standard user that can su to root, then give the login information for that account?
     
  2. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    If you did that via SU, you would still need to give out the root password and having an open account with root privileges or escalation capable
    (same thing) would be unwise unless you are really sure you can trust the technician and even then would probably change the password now and then but that brings you back to square one.

    There are other methods to accomplish what you ask though which would allow you a lot more security that what you describe and still allow you to keep your root password separate. I personally have root access to probably darn near at least half of the hosting providers and data centers out there but then I'm pretty well known and widely trusted and for good reason. If you want to setup something similar (not the same though for security) as what I use with my clients, I can certainly help assist you with that.
     
    #2 Spiral, Oct 19, 2009
    Last edited: Oct 21, 2009
  3. TheSidewinder

    TheSidewinder Active Member

    Joined:
    Jul 18, 2009
    Messages:
    41
    Likes Received:
    0
    Trophy Points:
    6
    Use AuthKey to access SSH, rather than password auth, if that's an option for you. The root password isn't needed then.

    Puttygen is a good key generator. I use it.
     
  4. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    I follow where you are going with that but I didn't mention that as I don't think this falls totally in line with what the user was asking!

    If I understand them correctly, they want to be able to give server technicians or specialists like myself full access but don't want to have to change the root password each time or leave the system open.

    Theoretically, yes they could issue additional root level certificates and disable access on those when the technician was offline but then that would expend the same effort as changing their root password plus there is the added issue of "What if the issue requires WHM login?" in which case you are right back to square #1 because the technician would need
    the root password unless you want to also take the time to setup a root
    level reseller for that purpose but again that brings you back to the
    extra effort it sounds like this user is wanting to avoid yet keep security
    tightened down as securely as possible.
     
  5. Daniel.L

    Daniel.L Registered
    PartnerNOC

    Joined:
    Apr 24, 2005
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Ashburn, VA
    If you setup a SSH user that can sudo to root, the cPanel techs could make a copy of the shadow file, change the root password to let them into WHM then move the shadow file back to set the root password back to what it was.

    Does that accomplish what you (the OP I guess) wants?

    In that case the only thing you would have to worry about is a user changing a password while the cPanel techs are working on the server and it getting reverted, but cPanel's team normally are very quick in my experience.
     
    #5 Daniel.L, Oct 21, 2009
    Last edited: Oct 21, 2009
  6. Seanformerlyof

    Joined:
    Mar 9, 2009
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    temporary passwords are preferred for this

    Hello,

    We can send you an ssh key to install if you don't want to give us your password but unfortunately, we will always need the root password to login to WHM. The best procedure for this is usually for you to set a temporary root password that you change back to your regular password after we're done working on your machine.
     
Loading...

Share This Page