Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Is Using Key Authentication for SSH Pointless?

Discussion in 'Security' started by jazee, Nov 4, 2017.

Tags:
  1. jazee

    jazee Well-Known Member

    Joined:
    Jan 12, 2015
    Messages:
    80
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Probably one of the most commonly recommended things to do on any Linux system to harden it is to use private key authentication for SSH instead of password authentication. However, isn't it sort of pointless to do that as long as you still use the root password to login to the WHM web interface? This has got to drive very security conscious Sys Admins nuts!
     
  2. kernow

    kernow Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    920
    Likes Received:
    13
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
    There are lots of ways to add extra security to login to WHM, such as 2factor authentication, and /or restrict login to your IP address using the hosts.allow file.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. jazee

    jazee Well-Known Member

    Joined:
    Jan 12, 2015
    Messages:
    80
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    That's reall
    So then the answer to my specific question about using key authentication, and nothing else, it pointless, is YES it is pointless, you have to do other things.

    If you are a SysAdmin that is on the road working from various clients the IP address restriction isn't really practical or if you have dynamic IP address assignment on the client side.

    Could you elaborate on how to setup 2-factor authentication for the WHM web panel? I've never heard of any product that does that for WHM?
     
  4. kernow

    kernow Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    920
    Likes Received:
    13
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,720
    Likes Received:
    98
    Trophy Points:
    328
    cPanel Access Level:
    Root Administrator
    This is true. And even more true when cPanel allowed you to enable/disable SSH Password Authentication and manage root's SSH keys all from within the WHM. This is an example of where cPanel should have left administrative tasks up to real server administrators, that's just my opinion.

    Other than that, the other best solution might be to restrict root WHM logins to a certain port and leave resellers WHM on port 2087. Thus allowing you to further restrict IP access for root WHM access.
     
  6. jazee

    jazee Well-Known Member

    Joined:
    Jan 12, 2015
    Messages:
    80
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    That's interesting, never knew this was in WHM. Couple problems with it.

    What happens if you want to login and you don't have your phone with you because for a variety of reasons like, forgot it, dead battery and no way to charge, hardware failure, no network access, you lost it, got it stolen.

    Then in the documentation, there a big red box:


    Warning:

    This feature may cause some third-party applications to break significantly, and may cause applications to improperly store data.

    Between those two significant issues, I'd have to say in my opinion, it's not really a smart solution to the fact there's no option to obscure root login for the WHM interface.

    I'd be willing to be less than 1 in 10,000 cpanel users are using this, or even know about it for that matter. Just because the feature is there doesn't mean it's the right solution.
     
  7. kernow

    kernow Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    920
    Likes Received:
    13
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
    Then you use the Google backup codes created for that very reason you mention. Of course if you forget to carry those codes as well as your phone and password then perhaps you should't be a system admin ;)
    Correct it doesn't, I just gave you a couple of additional methods but its up to you to find what's suits your environment best.
    Good Luck!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. jazee

    jazee Well-Known Member

    Joined:
    Jan 12, 2015
    Messages:
    80
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Great suggestion. Thanks for the info.

    I'd be curious on a guesstimate on the percentage of WHM admins using 2FA & Google Authenticator.
     
  9. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,309
    Likes Received:
    393
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I use 2FA for everything. Even these forums.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. jazee

    jazee Well-Known Member

    Joined:
    Jan 12, 2015
    Messages:
    80
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Why use it for these forums?
     
  11. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,309
    Likes Received:
    393
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Additional security of course.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. Tearabite

    Tearabite Well-Known Member

    Joined:
    Nov 28, 2010
    Messages:
    76
    Likes Received:
    11
    Trophy Points:
    58
    Location:
    Southern California
    cPanel Access Level:
    Root Administrator
    I’ve been using 2FA on both WHM and cPanel logins for over 6 months and it works great, with 0 issues or ‘broken’ anything. I also use it on all websites/systems that need extra security.
    I use my phone, my iPad and my PC for authentication so the chances of not being able to log in at any given time are very, very, VERYYY low.
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice