The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WHM with no root login

Discussion in 'Security' started by nimrodx, Aug 31, 2010.

  1. nimrodx

    nimrodx Active Member

    Joined:
    Jul 24, 2005
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Edinburgh, Scotland
    We're looking to implement very strict PCI compliance rules and one of them is to remove root logins completely. I'd like to know if there's a way to log in to WHM without using the root/rootpw as the 'root' user. For example via SSH we can use SSH keys - is there an equivalent we can setup for WHM access?
     
  2. GaryT

    GaryT Well-Known Member

    Joined:
    May 19, 2010
    Messages:
    321
    Likes Received:
    3
    Trophy Points:
    16
    I would also like more information on this, Most hackers these days instantly know whm is user ROOT - Shame it cannot be changed, Or if it can then please inform us.
     
  3. darren0610

    darren0610 Member

    Joined:
    Aug 27, 2010
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Yes as I would like to know this too. Is there a way to use a key file for WHM login?
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,456
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You are able to and is suggested, IMHO, to create a reseller account with access/permission to work inside WHM and not use root unless absolutely needed. This is a smart idea.

    I'm not sure you can remove root users access to WHM though, and I'm also not sure of the PCI compliance rules for root user and WHM login.
     
  5. nimrodx

    nimrodx Active Member

    Joined:
    Jul 24, 2005
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Edinburgh, Scotland
    The problem with that is the root account still remains active and if the root pw is known, user 'root' can login.

    I need full root access via WHM.. but without an actual root login with 'root' and the root PW.
     
  6. nimrodx

    nimrodx Active Member

    Joined:
    Jul 24, 2005
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Edinburgh, Scotland
    What about the new security policy features in 11.28 - will this allow for any kind of manipulation of root login?
     
  7. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    As for having a secondary root account, you can create a cPanel user with a fake domain (e.g. example.com) and then promote them to Reseller with root privileges. This gets that account full root-level access to WHM without logging in as user root.
     
  8. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    With 11.28's Security Policy functionality, you can essentially limit the IPs that can access any account, including root. So if an IP is not authorized, it must know the answers to several security questions before a login can be successful on that username, even if you know the password. This significantly reduces the liklihood of a root login, especially by means of brute forcing.

    For cPanel Partner NOCs, this is essentially identical to the Manage2 system you are familiar with.

    Further manipulation of logins will be possible when the Pluggable Authentication system is implemented in a later version of cPanel/WHM.
     
  9. nimrodx

    nimrodx Active Member

    Joined:
    Jul 24, 2005
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Edinburgh, Scotland
    Hi David,

    That's getting closer to what I'm after. I actually had to use the 5-question verification process this morning for another issue as I'm on site.

    Is there any further information available for this new pluggable authentication system? I realise it's for future releases however it may influence how I react at the moment. With over 100 servers to work on.. I'd like to reduce duplicate work as much has possible! :)
     
  10. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Pluggable Authentication is targeted to version 11.32, so documentation for it is not yet available.

    Basically, we're adding an authentication layer that anyone can plug into. This is designed to let folks use alternative authentication methods like LDAP, key authentication etc. for authenticating into services on a cPanel/WHM server. However, if you wanted to build a plugin that intercepted direct logins for user root into WHM or cPanel and always denied them, you could once this system is implemented.

    EDIT: You can track the progress of this feature at: http://forums.cpanel.net/f145/whm-p...tication-pluggable-authentication-154665.html
     
    #10 cPanelDavidG, Sep 1, 2010
    Last edited: Sep 1, 2010
  11. nimrodx

    nimrodx Active Member

    Joined:
    Jul 24, 2005
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Edinburgh, Scotland
    Hi David,

    Thanks for that. Interesting reading and I'll follow it closely :)
     
Loading...

Share This Page