Question on SSH Keys for cPanel users.

[Acenet Andyb]

I noticed WHM -> Manage SSH Keys where you can set this up but it appears to setup a key for root access. Is it possible to setup a SSH key for an individual cPanel user and restrict them to their home folder? Once the key is created using WHM, how would I go about setting the restriction if possible?

Thank you.

 

[Acenet Andyb]

Scratch this. It appears this is done with putty keygen on the client side.

 

[cPanelDon]

I noticed WHM -> Manage SSH Keys where you can set this up but it appears to setup a key for root access. Is it possible to setup a SSH key for an individual cPanel user and restrict them to their home folder? Once the key is created using WHM, how would I go about setting the restriction if possible?

Thank you.

cPanel account users may import or generate unique SSH keys using cPanel via the following menu path (with linked documentation):

• cPanel: Main >> Security >> SSH/Shell Access >> Manage SSH Keys

Using the included Jailed Shell will apply more restrictive SSH access, versus a Normal Shell, as configured using WHM via the following menu path:

• WHM: Main >> Account Functions >> Manage Shell Access

The following configuration option may be used to ensure that the default shell is jailed if and or when WHM is used to grant SSH access:

• WHM: Main >> Server Configuration >> Tweak Settings >> System
  • Default shell jailed [?] Use jailshell as the default shell for all new accounts and modified accounts.

 

[callmelann]

SSH Key === for === cpanel user account (not root)

Hi,

Its not that easy. I just found this issue while trying to securing my server right now. Create a key in Manage SSH Keys is just for root account. I cannot access SSH if I use this key for cpanel account. In the public key also state the [email protected]. Note that I am using Putty.

Jailed shell can be use only awhen cpanel user login SSH using password. I have no luck to try using key generated in Manage SSH Keys. Generate using OpenSSL then Import Key might be a chance. Still trying...

Actually I want to disable SSH Password Authorization Tweak so root and all cpanel account must be login using key, not password.

cPanel account users may import or generate unique SSH keys using cPanel via the following menu path (with linked documentation):

• cPanel: Main >> Security >> SSH/Shell Access >> Manage SSH Keys

Using the included Jailed Shell will apply more restrictive SSH access, versus a Normal Shell, as configured using WHM via the following menu path:

• WHM: Main >> Account Functions >> Manage Shell Access

The following configuration option may be used to ensure that the default shell is jailed if and or when WHM is used to grant SSH access:

• WHM: Main >> Server Configuration >> Tweak Settings >> System
  • Default shell jailed [?] Use jailshell as the default shell for all new accounts and modified accounts.

 

[cPanelDon]

Hi,

Its not that easy. I just found this issue while trying to securing my server right now. Create a key in Manage SSH Keys is just for root account. I cannot access SSH if I use this key for cpanel account. In the public key also state the [email protected]. Note that I am using Putty.

SSH keys are installed to specific accounts; for example, SSH keys installed for root are for root access only. If you want to access SSH by logging-in as a specific user you would need to install the SSH key in the specific user's cPanel account.

Jailed shell can be use only awhen cpanel user login SSH using password. I have no luck to try using key generated in Manage SSH Keys. Generate using OpenSSL then Import Key might be a chance. Still trying...

If the SSH key is installed to the correct account you wish to login as, and if the SSH key is "authorized" then you may access SSH and login as that user regardless if the user's shell is Jailed or Normal.

Actually I want to disable SSH Password Authorization Tweak so root and all cpanel account must be login using key, not password.

You may disable Password Authentication in the SSH daemon configuration and still access SSH using a Jailed Shell. You may toggle Password Authentication in the SSH daemon via WebHost Manager: WHM: Main >> Security Center >> SSH Password Authorization Tweak

 

[callmelann]

Hi, Thank you for the reply. Yes I know how to enable disable SSH Password Tweak, Jailed/unjailed a user, authorize/unauthorize or manage a key

I also notice generated key in the Security >> SSH/Shell Access >> Manage SSH Keys is only for root account.

The only thing is "How to generate a SSH key for cpanel user" as one of the question by the original poster. I believe people reading this thread still dont know how.

SSH keys are installed to specific accounts; for example, SSH keys installed for root are for root access only. If you want to access SSH by logging-in as a specific user you would need to install the SSH key in the specific user's cPanel account.

more specific:

you would need to install the SSH key in the specific user's cPanel account.

I am not sure what do you mean by install. either in cPanel interface or in shell command. In user cPanel, there is no such thing about SSH key or may be I miss something there. I notice about GnuPG Keys but I think it use for communication and email. I just generate GnuPG key from cPanel and import to WHM Manage SSH Keys, success but not displayed in the Public Key. Only Private Key displayed, from the private key, I generate putty PPK format but error shown "puttygen: error loading `/root/.ssh/testkeySSH': file does not begin with OpenSSH key header". I dont have an idea to convert it from PGP to putty PPK. Still have no luck.

 

[cPanelDon]

I am not sure what do you mean by install. either in cPanel interface or in shell command. In user cPanel, there is no such thing about SSH key or may be I miss something there. I notice about GnuPG Keys but I think it use for communication and email. I just generate GnuPG key from cPanel and import to WHM Manage SSH Keys, success but not displayed in the Public Key. Only Private Key displayed, from the private key, I generate putty PPK format but error shown "puttygen: error loading `/root/.ssh/testkeySSH': file does not begin with OpenSSH key header". I dont have an idea to convert it from PGP to putty PPK. Still have no luck.

What you have described leads me to believe the cPanel accounts being tested are using a Feature List where "SSH Connection Window" is disabled or not allowed.

Via root access to WebHost Manager, please ensure that "SSH Connection Window" is allowed, that is, enabled, in your Feature List(s):

• WHM: Main >> Packages >> Feature Manager >> Edit a Feature List >> SSH Connection Window

If you are experiencing difficulty enabling access to managing SSH keys in cPanel, please submit a support request so that we may assist with troubleshooting.

 

[mikelegg]

When I import a public key via cPanel, it says that it was successful and I see the .pub file in the /home/username/.ssh/ folder, but it isn't listed on the manage keys page so I can't authorise it.

 

[mikelegg]

We managed to get the SSH key working for a jailed shell user by manually creating the "authorized_keys" file in their /home/username/.ssh/ folder and adding the public key to it.

cPanel: Main >> Security >> SSH/Shell Access >> Manage SSH Keys still doesn't recognise that the key exists.

Should imported keys be manageable via cPanel?

 

[cPanelDon]

When I import a public key via cPanel, it says that it was successful and I see the .pub file in the /home/username/.ssh/ folder, but it isn't listed on the manage keys page so I can't authorise it.

We managed to get the SSH key working for a jailed shell user by manually creating the "authorized_keys" file in their /home/username/.ssh/ folder and adding the public key to it.

cPanel: Main >> Security >> SSH/Shell Access >> Manage SSH Keys still doesn't recognise that the key exists.

Should imported keys be manageable via cPanel?

What cPanel & WHM version is used when the issue occurs? I was not yet able to reproduce the described behavior during my initial testing using cPanel 11.29.91, a development build.

 

[mikelegg]

What cPanel & WHM version is used when the issue occurs? I was not yet able to reproduce the described behavior during my initial testing using cPanel 11.29.91, a development build.

11.26.20 Stable

 

[mikelegg]

I'm on WHM 11.28.87 now and the keys generated by cPanel don't work in Putty and the keys generated by Putty Key Generator won't import into cPanel.

 

[mikelegg]

I see there is a new thread on this here http://forums.cpanel.net/f5/case-47947-cant-create-ssh-keys-cpanel-user-197232-p2.html

 

[cPanelTristan]

Did the patch provided work for you to correct the issue in the meantime? That post specifically handles details on how to temporarily resolve what is happening until the case has been pushed into your existing version.

 

[mikelegg]

I wasn't sure how to apply the patch so I just added the public key manually.