Warning: You are logged in using the reseller or root password ?

[Jason_C]

Hi,

I sign in to make changes to one of my own sites i have in my WHM and i see this...

Warning: You are logged in using the reseller or root password

I know what it is saying, but what i want to know is if i was to sign in to one of the accounts lets say that i do not know the password to, to do the back ups that i will also be doing every now and then....

will the owner of that account that i first setup for them know the password that i used?

if not why does this warning show, or is this warning for some other reason that i do not yet know.

please explain..

thank you in advance for your help.

Jason

 

[cPanelDavidG]

First, the owner of any account you log into will not know the password you used to access their account.

The warning is there to remind you that you are logged in as a reseller (or root) and as a result may be able to do something in that account that user may not be able to do. Also, some features do not function properly unless you are logged in as the user (rather than reseller/root).

I know from experience if you are maintaining multiple accounts and have multiple tabs open for different accounts, it would be very hard to remember in which accounts I'm logged in as a reseller if it wasn't for that message.

Also, it's a good reminder that if something isn't working as you expect it to, it's probably because you're logged in as a reseller rather than as that user.

 

[Jason_C]

I see, as long as the main whm account is not compromised. this was my fear.

thank you for your advice.

all new to this whm panel, hope to get some strangers/customers soon!

thanks again

 

[cesare]

Hi.
I am also new to WHM and Server management.

I do feel very embarrassed about this, but I believe its important to let others know what I did without understanding this feature.

Because we are two guys sharing a rented VPS for our small activities, I choose to have the same password for the WHM and for the main account for a domain that we also share.
Yes, I am a newbie at this, and we all need to learn things.

I had noticed this warning earlier on, but did not understand the full implications off it.

Until my dear friend who shared this password with me, logged in to his own account on the same VPS, using his own username for the account and mistakenly writing the password for the account we share.

The result was that he was logged into his own account with the reseller password and thus had access to the other 3 accounts on our vps via the dropdown list.

Mayby I know to little for my own good, but I certainly did not expect that it was possible to login via a combination of the account username and the reseller password. I would have expected that he would have to use the reseller username/password combination to do that.

I resorted to remove the possibility via Tweak settings - System
where it says
Disable login with root or reseller password into the users' cPanel interface. Also disable switch account dropdown in themes with switch account feature.
Changed all passwords naturally.
And have learned the valuable lesson to not use a password more than one place. :D

I will say to my defense that my friend and I are very close, and I trust him my life, but still feel like a bloody amateur.

I have allready changed my focus to learn what is needed, and sought help from external sources to get the security in place before starting to use my new system for more important things than playing with it.

;0)Cesare

 

[Jason_C]

Hi,

So this means that if an account with username 'account1' has a password 'fred' and then later changes this account password to 'mary' and mary just happens to be the root password then they can access all account in my WHM ? even though they have a different username ?!
!!!!

if so where is the security?

i see from the last post that highlighted this even more so to me. that i should be able to stop this in the themes...



quote....
Disable login with root or reseller password into the users' cPanel interface. Also disable switch account dropdown in themes with switch account feature
....

i can not seem to find this in my WHM, please can you help out a bit more.


thanks for this very good advice.

Jason

 

[markfrompf]

Well, that's one big reason that you need to have a very secure password.

What are the chances of somebody using your root password as theirs?
The chances are so extremely low if you have a good password, like "rngu59305" or something that doesn't make sense to anyone but you!

:D

PS: I just typed some random letters and numbers, so hackers: don't waste a failed ssh log in to my servers - I know you're watching.

 

[cesare]

Hi jason.

I WHM choose Serverconfiguration - Tweak settings and go down to the last page called system. You will find it there. Mark it to disable it.

There are excellent guides in here to secure your system, but for me as a coder, I get into problems when things do not work as intended, for instance when my host has compiled a costum kernel. Do not want to go into details in an open forum.

That is the reason I find it important as a newbie in this area, also to mention what I discover that I did not know.

I do however know how to create good passwords, and I must agree with mark in his point.
I find it highly unlikely that a random user could accidently recreate my passwords.
A good password should contain at least 8 characters, including uppercase, lovercase, and numbers at least. Other signs like - # , etc will expand the number of combinations very much.
The number of possible combinations increase for every different type of sign you use because it is the faculty(don't know if this if the correct word in english) of possible signs of each kind. (place1 * possible signs) * (place2 * possible signs) Not entirely correct, but you get the picture.

So how do you create a good password:
I am not an expert, but my own way is to use at least 10 characters and to make something that is easy to remember I just make a sentence that makes sense to me.
Example.

IdnlUh2rmp,sd
I created it with this sentence.
I do not like U hackers 2 read my posts, so die.

And for instance your mySql root password you do not have to remember, as you can set a new trough the WHM, so just give i a random set of characters.

;0)Bent

 

[Jason_C]

--------------
I WHM choose Serverconfiguration - Tweak settings and go down to the last page called system. You will find it there. Mark it to disable it.
--------------

I can not find this menu item in my WHM, i do not 'own' the server i rent it from someone.
would i have to get them to do this?

thanks

Jason