The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to create a shell user and su - to root.

Discussion in 'General Discussion' started by TogaDave, Jun 23, 2005.

  1. TogaDave

    TogaDave Well-Known Member

    Joined:
    Apr 13, 2003
    Messages:
    135
    Likes Received:
    0
    Trophy Points:
    16
    I've been getting braver and trying to secure my server on my own with the help of this thread but I've sort of run into an embarrassing stumbling block.

    I want to create a shell account to work in SSH so I can disable root, but:

    A) The only way I know of to create a shell account is, for example, enabling shell access for my main user account for my main hosting site on the server. Is there another way I should be doing it?

    B) I'm not familiar with the term "su -"

    I feel silly posting this, but I had to ask. Can anyone offer input?
    Thank you,
    Dave
     
  2. TogaDave

    TogaDave Well-Known Member

    Joined:
    Apr 13, 2003
    Messages:
    135
    Likes Received:
    0
    Trophy Points:
    16
    PS - if I disable telnet, does that affect ability to su - into root (once I know what that means lol) ?
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Disabling telnet will not affect this at all and should be always be disabled anyway.

    It's perfectly fine to enable shell access for a cPanel account and then add that account to the wheel group all in WHM.

    If you were doing it from shell you'd use the useradd and perhaps groupadd utilities.

    One handy place for beginners to experienced admins is the tldp:
    http://www.tldp.org/guides.html
     
  4. TogaDave

    TogaDave Well-Known Member

    Joined:
    Apr 13, 2003
    Messages:
    135
    Likes Received:
    0
    Trophy Points:
    16
    Thanks!

    Here's what I did in case anyone else finds this information useful:

    - SSH'd in and typed: useradd "username" (obviously with new username and no quotes)

    - type: passwd "username" (and gave it a very difficult-to-guess password at prompt)

    - went to WHM, manage wheel group users, added new user to wheel group (thereby giving it "su -" power in SSH)

    - SSH'd in and:
    pico -w /etc/ssh/sshd_config and:
    uncommented port line and set port to higher unused port number
    uncommented Protocol and and changed it to just 2
    uncommented PermitRootLogin and set to = no

    - restarted SSH with /etc/rc.d/init.d/sshd restart

    Now root login is blocked, but I can su - to it from the new wheel group user, and even though I skipped a couple of the more technical/complicated security steps, I do feel as though I made strides in the right direction, thanks to this forum!

    I know that this is really basic stuff for seasoned pro's, but for me it was a big step and I'm hoping that posting this may encourage other novice/intermediate admins like myself to not be afraid to start trying to learn. This first step was easy enough that I think almost anyone with a dedicated could do it, and it has definitely opened my eyes to learning/doing more to become a proper admin.
     
  5. TogaDave

    TogaDave Well-Known Member

    Joined:
    Apr 13, 2003
    Messages:
    135
    Likes Received:
    0
    Trophy Points:
    16
    Surprisingly my new dedicated came with telnet enabled. Thanks for the tip, I have disabled it using the command in this extremely helpful thread.
     
  6. deborahgsmith

    deborahgsmith Member

    Joined:
    May 18, 2004
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    SE Michigan
    Just to clarify, can someone tell me why we go to the WHM and add the user to the Wheel instead of using the groupadd command in the shell?

    Just curious what the difference is or what effect it has on the server running WHM instead of a base *nix OS. We have recently seen some issues with using the groupadd command in the shell instead of using the "add users to the Wheel" method where WHM / cPanel has had problems afterwards with user management.

    Thanks!

    Deborah
     
  7. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    You should be able to use either just fine. I've only come across problems with useradd and not groupadd and those have been on EOL OS's - RH9/FC1.
     
  8. deborahgsmith

    deborahgsmith Member

    Joined:
    May 18, 2004
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    SE Michigan
    Thanks Chirpy. I was hoping you would see this.

    Strange then, when setting up a user and adding them to the group in the shell, that we couldnt see the user in the WHM popup.

    Maybe it was an anomoly. Those do happen sometimes. I think it was a shake up in the Matrix.

    ;)

    Hope you are well my friend.

    Deborah
     
  9. wptechno

    wptechno Active Member

    Joined:
    Jun 10, 2004
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    oh no!

    I think i did something very bad here.
    I had a putty window open and did all this security ssh2 stuff with cpanel.net as a guide. it all seemed to work according to rkhunter, I had my emergency putty window opened but then I restarted ssh, then tried to login again using a second putty window as well. I even had my winscp program logged in just in case. Then all the putty windows disappeard and winscp disonnected. Now I can't even login with anything except to whm and ftp users. Not root though. I think I really messed up big time. I guess I got myself in too deep. I'll explain more if someone is willing to help me out with this nightmare.
     
  10. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    It could simply be that SSH hasn't restarted. Have you tried restarting SSH through WHM (bottom-ish left of the menus)?

    If you still have no joy and want back in quickly, feel free to PM me and I can help out. Otherwise, it might be a grovel to your NOC for someone to use console access to the server.
     
  11. randomuser

    randomuser Well-Known Member

    Joined:
    Jun 25, 2005
    Messages:
    147
    Likes Received:
    0
    Trophy Points:
    16
    Just thought I'd chime in to answer the su question. "su" stands for "substitute user", meaning you can switch users. The "-" option is for calling a login shell, which will give you roots' environment. Confused yet? Nah..

    When most people say "su", they're usually referring to switching to root from another account ("su" is typically synonymous with "su to root", although you can su to any regular user or root, if you know the root password of course). The "-" option is probably easier demonstrated than explained.


    After running su, my current dir doesn't change (/usr/local/apache2), and you'll notice the
    "/home/me/bin" at the end of my path, where "me" is my username.

    [me@host:/usr/local/apache2]$ su
    Password:
    [root@host:/usr/local/apache2]# echo $PATH
    /usr/kerberos/sbin:/usr/kerberos/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/X11R6/bin:/home/me/bin


    Now we call a login shell with the "-" option. The new shell gives me the regular root environment. After running su -, I am in my ~ (my home dir), and I have the typical /home/root path at the end of my path.

    [me@host:/usr/local/apache2]$ su -
    Password:
    [root@host:~]# echo $PATH
    /usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/bin

    Basically with "su -" it's as if you logged directly into the box as that user. I hope all this makes sense. It's sorta covered in the manpages, just not as in depth that I've seen.

    By the way, what you've done with ssh is awesome. Moving it to another port will keep 99% of the people who are looking to break into hosts via ssh out of your hair and your logs.
     
Loading...

Share This Page