SSH Root Logins, Privilege Escalation and Server Security in cPanel
As you dig deeper into server administration, you’ll eventually need to log into your server via SSH as root. Logging into your server as root allows you to easily accomplish many tasks, but it demands a certain level of security precaution.
SSH root logins offer a huge potential security vulnerability. The root user is the administrative user of a server and has full access to the server. If compromised, the root account provides the malicious user with complete control. Anyone logged into a server with root access can write, erase, edit, upload or download any file. It is an all-access pass to your server, and simply guarding your root password isn’t enough to protect yourself.
There are two ways to mitigate this security concern.
SSH Key Authentication
As discussed in a previous Tech Bench post, SSH key authentication limits root access to only those people on computers with the correct authentication key.
Escalating users to root
The second option is to disable direct root access and configure one or more regular SSH accounts such that users can escalate their privileges to the root level. This provides an extra layer of security, eliminating the possibility that a server can be compromised simply by stealing the password for user: root.
Disabling SSH root logins
Because of the security risks inherent in direct SSH root access, nearly all VPS packages, including ServInt VPS and Flex dedicated accounts, will be delivered with direct root access disabled by default. If, for some reason, this is not done by your host, you will need to do disable it from the command line in /etc/ssh/sshd_config. Ask your host for more details before editing this file.
Configuring SSH root escalation for cPanel users
Configuring SSH root escalation for a user in cPanel can be accomplished for any server with SSH access by simply adding that cPanel account to the Wheel Group. To do so:
- Log into WHM
- Navigate to Security Center » Manage Wheel Group Users
- Choose the cPanel user and then click Add to Group.
- Once done you will need to restart SSH from WHM via Restart Services » SSH Server (OpenSSH).
Configuring SSH root escalation for non-cPanel users
To configure SSH root escalation for a non cPanel user, you will need to add that user to the wheel group in WHM (above) and then complete one other step: editing the passwd file of your server.
- Log into the server with root access
- Open the passwd file (located in /etc/passwd)
Note: if you do not know how to open and edit a file directly on the command line, you can learn how to use an editor such as nano.
- Each line of the file is for one user. Locate the user you are granting access to and edit the text of that line changing /bin/false to /bin/bash.
- Restart SSH service either through WHM as outlined previously or using the command “sshd restart”.
Escalating to root as a superuser
With these steps complete, the user can now escalate to root when logged into the server via SSH with their standard credentials. Once logged into the server via SSH, the user simply types the command “su” (superuser) and hits Return. The user will be prompted for the root password and when entered correctly will become the root user.
As always, if you have any questions, or if you wish to configure a non cPanel server for SSH escalation to root privileges, please fill out a ticket in your ServInt customer portal.The Tech Bench is an ongoing blog series featuring the answers to common questions the ServInt MST fields everyday. You can also find more great tech tips in the ServInt KnowledgeBase.