Need to have 2FA enabled for WHM for multiple co-workers

[JensKirk]

Hi

We are a handful of sysadmins in the company and we like to have 2FA enabled for WHM so we can gain more security on the server.

We are sharing the same root login for WHM but the 2FA feature seems only to allow one device as a authorizator meaning that we have to share the same smartphone (which is not realistic).

We also tried creating more root-like logins for WHM but it only resulted in have extra logins that could not see the accounts (because of the owner aspect). All co-workers need to see all cPanel accounts so they are can support all clients.

What to do to get 2FA enabled for WHM for multiple coworkers (using their own smartphones)?

 

[cPanelLauren]

This is extremely unadvisable. Sharing a root login between multiple parties is a rather large security concern. Rather than do this, I'd suggest creating several reseller users - one for each admin that will need access. This way not only can you all log in with your own passwords and set up 2FA, but you can assign necessary privileges to each separately. You can also assign a reseller user root privileges to allow for multiple privileged users access to the system if necessary.

We have documentation that goes over creating the reseller account here: How to Create a WHM Reseller Without an Associated Domain | cPanel & WHM Documentation

 

[JensKirk]

But your guide is saying this:

We strongly recommend that you do not use this method to create administrative user accounts. This method can cause problems with your server configuration.

Our server center will no longer take the resposability for the server if we do an action that can make the server more unstable.

So what to to?

 

[cPanelLauren]

Right, but sharing root logins was never the alternate solution to this as it's extremely insecure. I would assume if your provider was aware that you were sharing the root login between multiple people it would also not take responsibility for the server. The only alternative that would provide a solution for what you're requesting would be the suggestion I provided

 

[JensKirk]

We are in a deadlock. Our server center will not take the responsibility for creating admin logins with root privileges because of the statement in your guide:

"We strongly recommend that you do not use this method to create administrative user accounts. This method can cause problems with your server configuration."

And we must have more than one admin with root privileges on the server otherwise we cannot as a team handle the cases that comes up.

Can you improve your software so we can do this in the future?

 

[cPanelLauren]

I think you have some confusion here, this isn't a limitation of our software, this is an issue with what you're attempting to do being highly insecure. Linux users with root privileges should always be limited to one user and should NEVER be the primary user from a security-based standpoint.

The warning in the documentation regarding creating administrative users without an associated account can cause issues due to the fact that the assumption is these administrators will also have an account associated with them but it is the only way to do what you want in a secure manner. You could just create legitimate accounts then assign them admin privileges by making them resellers but that would add to your total number of accounts and may affect your license cost.

 

[JensKirk]

>>You could just create legitimate accounts then assign them admin privileges by making them resellers
I understand, but they can only see the cpanels that they are the owners / resellers of. We need them to see ALL cpanels because they need to help ALL clients calling in with problems. How can this be done?

 

[cPanelLauren]

This can be done in the way I told you previously. There is no other way to do this, either you continue with root access for them all and have them all share a password which is highly insecure and not advisable at all or you go about the method noted in our knowledgebase. The way you're doing this now is far more insecure with the potential to cause far more issues with your server than the suggested method. I've made this clear multiple times, I'm unsure what else to tell you. This isn't a product limitation, there isn't another way to do this securely. This is a conversation you'll need to pursue further with your provider and because it's been stated several times here what the solution is and it appears that we're going around in circles I'm closing this thread to further responses.