Is Using Key Authentication for SSH Pointless?
Probably one of the most commonly recommended things to do on any Linux system to harden it is to use private key authentication for SSH instead of password authentication. However, isn't it sort of pointless to do that as long as you still use the root password to login to the WHM web interface? This has got to drive very security conscious Sys Admins nuts!
-
There are lots of ways to add extra security to login to WHM, such as 2factor authentication, and /or restrict login to your IP address using the hosts.allow file. 0 -
That's reall There are lots of ways to add extra security to login to WHM, such as 2factor authentication, and /or restrict login to your IP address using the hosts.allow file.
So then the answer to my specific question about using key authentication, and nothing else, it pointless, is YES it is pointless, you have to do other things. If you are a SysAdmin that is on the road working from various clients the IP address restriction isn't really practical or if you have dynamic IP address assignment on the client side. Could you elaborate on how to setup 2-factor authentication for the WHM web panel? I've never heard of any product that does that for WHM?0 -
Just search the documentation! Like here: Two-Factor Authentication for WHM - Documentation - cPanel Documentation 0 -
However, isn't it sort of pointless to do that as long as you still use the root password to login to the WHM web interface?
This is true. And even more true when cPanel allowed you to enable/disable SSH Password Authentication and manage root's SSH keys all from within the WHM. This is an example of where cPanel should have left administrative tasks up to real server administrators, that's just my opinion. Other than that, the other best solution might be to restrict root WHM logins to a certain port and leave resellers WHM on port 2087. Thus allowing you to further restrict IP access for root WHM access.0 -
What happens if you want to login and you don't have your phone with you because for a variety of reasons like, forgot it, dead battery and no way to charge, hardware failure, no network access, you lost it, got it stolen.
Then you use the Google backup codes created for that very reason you mention. Of course if you forget to carry those codes as well as your phone and password then perhaps you should't be a system admin ;) Just because the feature is there doesn't mean it's the right solution.
Correct it doesn't, I just gave you a couple of additional methods but its up to you to find what's suits your environment best. Good Luck!0 -
Then you use the Google backup codes created for that very reason you mention. Of course if you forget to carry those codes as well as your phone and password then perhaps you should't be a system admin ;) Correct it doesn't, I just gave you a couple of additional methods but its up to you to find what's suits your environment best. Good Luck!
Great suggestion. Thanks for the info. I'd be curious on a guesstimate on the percentage of WHM admins using 2FA & Google Authenticator.0 -
I use 2FA for everything. Even these forums. 0 -
I use 2FA for everything. Even these forums.
Why use it for these forums?0 -
Additional security of course. 0 -
I"ve been using 2FA on both WHM and cPanel logins for over 6 months and it works great, with 0 issues or "broken" anything. I also use it on all websites/systems that need extra security. I use my phone, my iPad and my PC for authentication so the chances of not being able to log in at any given time are very, very, VERYYY low. 0
Please sign in to leave a comment.
Comments
11 comments