Introduction
When you create a ticket with cPanel support, you have the option to provide us with root access to your server.
If you have elected to provide us with root access to your server and you have enabled key authentication, the cPanel service within your server will make an API request to our ticket system and request the public SSH key that was generated for that specific support ticket and place it within the /root/.ssh/authorized_keys file.
When a public key is placed into the /root/.ssh/authorized_keys file, an administrator with the private key will be able to authenticate to your server via SSH as the root user.
cPanel's ticket system is designed to automatically remove these public SSH keys from the /root/.ssh/authorized_keys file automatically once the ticket has been closed.
As the server owner, you are, of course, welcome to inspect the /root/.ssh/authorized_keys file to see what public keys are installed that allow access to the server including any public keys that the cPanel ticket system has installed, and optionally remove those keys to revoke our access even before the ticket has been closed.
The following explains some of the ways that you may check to see if cPanel still has access to your server, as well as how to revoke that access.
Revoking cPanel Support's access to your server from WHM via "Grant cPanel Support Access"
The following article explains the process of revoking cPanel support access to your server via the "Grant cPanel Support Access" tool in WHM:
Revoking cPanel Support Access to Your Server
The difference between this method and the following methods is that, not only will it remove our public SSH key from the /root/.ssh/authorized_keys file, it will also remove the root password from our ticket system if you elected to provide a root password for us to use when providing us with access.
I'd like to note that our access will automatically be revoked from your server when the ticket is finally closed, so these steps are not required of you, but we wanted to provide this information to explain how it works, and also explain to you how to take control of the process if you prefer to do it that way at some point.
How to Inspect your server for authorized key-based SSH access
In order to access your server via key-based SSH authentication, a public key must first be placed into the authoized_keys file on your server. Once the public key has been added to that file, the corresponding private key can be used by cPanel's ticket system to login. As long as the public key has been removed from the authorized_keys file, the corresponding private key can no longer be used to access your server. With this knowledge, you can use the following method to inspect which keys could provide access to your server.
NOTE: While "authorized_keys" is the most common name for this file, it can differ if your server's sshd configuration has customized the name with the following directive: AuthorizedKeysFile
Please see the man pages for questions about this file:
The most basic and reliable method for inspecting the installed public SSH keys is to simply cat out the contents of the file. Each public key will occupy a single line. They are often quite long so you may find it a bit difficult to read:
cat /root/.ssh/authorized_keys
Whenever cPanel places a public key within that file, it will always have the ticket ID and some signifier that it was added by cPanel within the comment portion of the public key. Due to this, you could make use of the following oneliner script to print out only the cPanel public SSH keys, along with their associated ticket IDs:
awk -F"[ _]" '/cpanel/{print "cPanel Ticket ID: "$3"\n"$0"\n"}' /root/.ssh/authorized_keys
Of course, if you have any issues with that script, or if you suspect it may not be showing all of the keys, you should use either the cat or less commands to view the raw file.
IMPORTANT:
If a ticket is opened with cPanel technical support, and then a new ticket is split off from the original ticket, the new ticket will reuse the same public key for access. You may find that the ticket ID noted in the comment for the public key may not always match the ticket that you have open at the current time.
IMPORTANT:
The cPanel ticket system has two different statuses that are used when a ticket has been resolved.
The first status is: Solved
This is the status that is used when either you or cPanel support believes that the issue has been resolved.
The second status is: Closed
A ticket is moved to the "Closed" status after it has sat unaltered in the "Solved" status for 5 days. cPanel's ticket system does not automatically revoke access until the "Closed" status has been reached, so you may find our public keys in the /root/.ssh/authorized_keys files until the "Closed" status has been reached, at which time our system will automatically remove them for you.
Manually Revoking Authorized Public SSH Keys via CLI
Manually revoking access for public SSH keys is as simple as opening the /root/.ssh/authorized_keys file with your favorite text editor and removing the line that contains the public key that you want to revoke access for.
You can also make use of the sed utility to automatically remove all keys that contain the word "cpanel" somewhere in them. This would remove all of cPanel support's public keys, but could also remove any keys that you have added that contain the word "cpanel" as well so you must be very cautious when using the following method.
First you should cat the file so that you know what keys already exist there:
cat /root/.ssh/authorized_keys
Then run the sed command without the -i flag so that you can see how it will change the file by removing all keys that reference cPanel:
sed '/cpanel/d' /root/.ssh/authorized_keys
If that produces the exact changes that you desire, run the following command to make the change permanent:
sed -i.removeCpanelAuthKeysBackup '/cpanel/d' /root/.ssh/authorized_keys
Note that the -i flag is followed by a file extension. You'll notice that a copy of the original configuration file has been placed at:
/root/.ssh/authorized_keys.removeCpanelAuthKeysBackup
If you made a mistake you can simply restore that backup. Otherwise, you can delete the backup if you are positive everything is setup properly.
You'll also notice that there is a copy of each of cPanel's public keys within the /root/.ssh folder if you run the following command:
ls -lah /root/.ssh/*.pub
The presence of these .pub files does NOT indicate that cPanel still has access to your server. cPanel would only still have access to the server if the contents of one of those .pub files was found in the authorized_keys file.
Once you have revoked our access, it would be ideal to also delete those corresponding cPanel .pub files to keep your /root/.ssh directory clean and tidy, but this is not strictly required.
Viewing and Removing Authorized Public Keys via WHM's "Manage root's SSH Keys" interface
The following article explains how you can deauthorize a key via WHM's "Manage root's SSH Keys" inteface. Look at the section labeled "Revoke access from a key":
How to add or remove ssh keys for the root user
When you perform the steps outlined in the above article, it has the same effect as manually opening the /root/.ssh/authroized_keys file and removing the specific line that contains the public key that you want to be removed.
Comments
0 comments
Article is closed for comments.