SSH access becomes disabled

hal

Member
Apr 12, 2006
19
0
151
Hi all

We allow our reseller customers SSH access for their main WHM accounts, and end users for limited periods upon request. We use WHM to enable the facility, and it works fine. However, after an arbitary period of time, SSH access is disabled without our intervention. This causes extra work and inconvenience to both us and our customers, as it means that they have to contact us yet again, and we have to manually reenable it.

Does anybody know why this happens, and how we can prevent it? Once we have authorsed and enabled SSH access, we would like it to stay enabled, and not reset on its own accord.

Thanks to all!

Hal
 

techark

Well-Known Member
May 22, 2002
280
0
316
Hmm wish my servers had that feature.

Then I could enable it for a user to do some work and not have to remember to go back and disable it a few hours or days later.
 

chris74108

Well-Known Member
Apr 30, 2004
86
0
156
hal said:
Hi all

We allow our reseller customers SSH access for their main WHM accounts, and end users for limited periods upon request. We use WHM to enable the facility, and it works fine. However, after an arbitary period of time, SSH access is disabled without our intervention. This causes extra work and inconvenience to both us and our customers, as it means that they have to contact us yet again, and we have to manually reenable it.

Does anybody know why this happens, and how we can prevent it? Once we have authorsed and enabled SSH access, we would like it to stay enabled, and not reset on its own accord.

Thanks to all!

Hal
Simple take away whm access from everyone but yourself. Problem solved....
 

hal

Member
Apr 12, 2006
19
0
151
techark said:
Hmm wish my servers had that feature.

Then I could enable it for a user to do some work and not have to remember to go back and disable it a few hours or days later.

Really, techark? Then maybe there is some problem with our configuration. I agree that it is very useful for end users, but not for resellers, who require access on a frequent basis.

Does anyone have any suggestions about why there are differences in the way this works for us compared with techark?

Thanks
Hal
 

chris74108

Well-Known Member
Apr 30, 2004
86
0
156
I was not kidding. Remove whm access from everyone else and change your root pass.
Someone is disabling it.
 

sparek-3

Well-Known Member
Aug 10, 2002
1,929
180
343
cPanel Access Level
Root Administrator
If you Upgrade/Downgrade an account or if a reseller Upgrade/Downgrades an account, I believe SSH access is reset. Atleast that seems to be the case with our servers, might be an option somewhere though.
 

hal

Member
Apr 12, 2006
19
0
151
That is highly unlikely. It has worked this way on all our servers, including ones we've had a couple of years. I assure you, these have not been hacked, and there is no-one physically tampering with SSH.

Would any CPanel staff mind contributing to this, please? Is there any CPanel code that automatically disables SSH access?

Thanks
Hal
 

hal

Member
Apr 12, 2006
19
0
151
By the way, my last answer was to Chris.


Thank you for your response, nettigritty.


But mainly. thank you, Sparek-3! That's great, as you have confirmed exactly what I am talking about! Changing the package does indeed disable SSH. Is there any way that we can change the scripts to disable this feature? Where can we safely do this?

I also believe that other actions cause. Can anyone give a definitive list as to what these are? Can these also be disabled?

Thanks
 

nettigritty

Well-Known Member
PartnerNOC
Jan 21, 2004
192
0
166
Bangalore, India
If SSH access is enabled in the package that you upgrade / downgrade to it would stay enabled. But.. if that package had Shell Access unticked, it would get disabled when you up/down the account. Edit packages and make sure Shell Access is ticked.

If you don't intend on giving out SSH access to everyone, you could setup seperate SSH enabled packages.
 

hal

Member
Apr 12, 2006
19
0
151
Thank you, again, nettigritty.

With your help, I see now what the packages script is doing - it is indiscriminately overwriting settings to existing accounts, which possibly results in changes that:
1) may not need to be changed, as they are already at the correct setting
2) Admins don't necessarily want changed

Is there any possibility that this functionality will be improved? When a package is amended, there are several different scenarios that would be wanted:

1) Change the settings for the package, so that all new accounts based on that package will inherit the new settings, and existing accounts will be reset to conform to the package (the current behavior)

2) Change the settings for the package, so that all new accounts based on that package will inherit the new settings, and *only selected existing accounts* will be reset to conform to the package

3) Change the settings for the package, so that all new accounts based on that package will inherit the new settings, but *no existing accounts* will be reset or changed in any way.

I feel an interactive interface for this process, with radio buttons stating "Reset all accounts", "Reset selected accounts" and "Don't reset any accounts" would make this new functionality intuitive enough for the administrator or reseller.

I can understand the reasons why this may not have been catered for in the past. Previously, SSH has been considered a “value add”, synonymous with a different level of package, whereby server owners would charge more for a package with SSH access. However, these days, SSH access is much more common, being essential for certain tasks (like setting up Rails etc). Hence, nowadays, I feel that granting SSH access is a totally separate process compared with redefining a package, and therefore one should not necessarily impact upon the other.

I hope the benefits that I have described will be clear to everyone, and that the CPanel developers would seriously consider making these changes to improve the product in a future release.

Sincerely
Hal
 

hal

Member
Apr 12, 2006
19
0
151
nudge

Is there any chance a member of CPanel's staff could indicate whether these suggestions could be considered? It would make such a difference!

Thanks
Hal
 

myusername

Well-Known Member
PartnerNOC
Mar 6, 2003
693
1
168
chown -R us.*yourbase*
cPanel Access Level
DataCenter Provider
Twitter
Basically what needs to happen is each account has a database entry for it's assigned package. That would be a start.

That would eliminate the whole problem of when you edit a package specification, it affecting every user on the server, when all you wanted to do was make the new plan specs available to new customers.

It would also eliminate the whole shell vanishing problem that occurs when packages are edited and a special user has a shell.

So when wwwacct executes it takes a snapshot of the current plan and stores it for that user. Then users can truly have the package they signed up and paid for.

Once they have their package presets saved / associated with their account, you could edit accounts on a "per site" basis, not server-wide, and settings like shell can be available to selected users. Heck with this sort of functionality you could set a timed shell like you guys are talking about that disables itself based on the time stamp using a cron.

I've always wondered why this was never part of cPanel.
 

hal

Member
Apr 12, 2006
19
0
151
Thank you for this brilliant contribution. I am really glad that there are others out there that are also finding it difficult to operate with the current CPanel behaviour.

Does anyone else have a view on this topic? If so, please post it here!

Hal