Symptoms
Attempting to access a cPanel account that is using Two-Factor Authentication (2FA) as root either via WHM's List Accounts interface or by accessing the cPanel login form using root's password results in being prompted for the 2FA code of the cPanel user.
Description
When attempting to access a cPanel account, the entered password is checked against the username first. If the password matches, then the login process continues. If it does not match, it checks the password to see if it matches root's password. This is how the root user can access another cPanel user's account using their password rather than the user's password.
If the root user and the cPanel user are configured to use the same password, the software will stop when it sees the entered password matches that of the user and it will assume that it is the user that is trying to log in. When 2FA is enabled for the account, it will dutifully then prompt for the cPanel user's 2FA code.
Workaround
Even if the server is only used by one person, having a user account with the same password as the root account is never a good idea. Changing one of the account's passwords so that they are no longer the same will stop the 2FA prompt from appearing when using root's password and is just good practice whether 2FA is in use or not.
Comments
0 comments
Article is closed for comments.