Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SSH Keys for Resellers

Discussion in 'Security' started by tecnotronico, Aug 14, 2011.

  1. tecnotronico

    tecnotronico Active Member

    Apr 17, 2004
    Likes Received:
    Trophy Points:
    In order to increase the server's security we want to disable SSH2 Password Authorization and enable SSH Keys to get access for SSH2.

    Well we have some doubts about this and need your appreciated support and answers for the following questions:

    1. How could we generate SSH2 Keys for reseller users instead of just for the root user?

    2. What is the normal procedure to setup the SSH Keys in the server and in the SSH client?

    3. We use the “SSH Secure Shell” software from SSH Communication Security Corp ( Do you know how could we setup the SSH Keys with this client software?

    4. When we ask for the support of the Datacenter tech's normally we provide them with the SSH User/Pw information to let them get SSH access. If we setup the SSH Keys, What would be the better procedure to give them SSH access for future support? What are your recommendations to assure a secure support process avoiding to provide passwords?.

    Thanks in advance for your appreciated prompt support on this matter.
  2. keddie

    keddie Well-Known Member

    Nov 17, 2007
    Likes Received:
    Trophy Points:
    I generally use PuttyGen to generate 4096 bit RSA keys for server access. I use putty for shell access and WinSCP for SFTP.

    Used in conjunction with the Pageant SSH agent (for win) I have secure passwordless access to all of my servers, only needing to enter my passphrase once. This makes management of multiple servers / accounts so much easier.

    You can also write a script that will setup a template authorized_keys file on account creation. This means you'll always have secure SSH / SFTP access to client accounts without password resets etc.

    Most DC techs that I've dealt with in the past have been happy to send me a public key that I then add manually to the root authorized_keys file under /root/.ssh/authorized_keys.

    However, there have been times when techs have been unable / unwilling to use keys, in this case I temporarily enable password authentication while they carry out their work, then disable it afterwards.

    The hardest thing with getting people to use keys is the initial setup, once that's done, it's much easier than the old password based method and so much more secure.


Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice