Here is an example of the implementation I would like to achieve:
https://www.startssl.com/Account ==> Authenticate
Allow login to WHM, cPanel, and Webmail with key pair
Open Discussion
Allow log in to WHM, cPanel, and Webmail via a key pair. We manage several client servers, all of whom like to reset their root passwords without letting us know. If we could log in with a key pair similar to the root SSH keys it would save a lot of hassle.
This would tie in with http://features.cpanel.net/responses/as-a-server-administrator-i-want-to-limit-root-login-access-to-specific-ips-so-that-i-have-enhanced-security-and-can-limit-root-access
I like this idea 
cPanel, WebHost Manager and WHM are registered trademarks of cPanel, L.L.C. for providing its computer software that facilitates the management and configuration of Internet web servers.
Could you please walk me through how you would see this working? I'm not sure I understand the request exactly.
Could you please walk me through how you would see this working? I'm not sure I understand the request exactly.
To login to WHM, you currently need to use the root password. What we would like to do is to log in to WHM with a key pair so that we would not need the root password for a client's server.
If a client was to reset the root password on a server, we would still be able to access the server's WHM.
To login to WHM, you currently need to use the root password. What we would like to do is to log in to WHM with a key pair so that we would not need the root password for a client's server.
If a client was to reset the root password on a server, we would still be able to access the server's WHM.
You can approximate this right now by logging in with the accesshash for the root user.
You can approximate this right now by logging in with the accesshash for the root user.
Startssl use key authentication to access their admin. I like the idea of it.
To get around your issue couldn't you have your own user with full access rights ? Your customers would know that if they changed your user's password that you wouldn't be able to gain access. We never provide our customers with root access just a reseller account with near to full access
And for the security part, I believe 2FA auth should get this done.
Startssl use key authentication to access their admin. I like the idea of it.
To get around your issue couldn't you have your own user with full access rights ? Your customers would know that if they changed your user's password that you wouldn't be able to gain access. We never provide our customers with root access just a reseller account with near to full access
And for the security part, I believe 2FA auth should get this done.
I think a better feature than this would be to simply have multiple root-level user support. It makes sense from a security perspective — you would now know exactly who has signed in and performed which actions. Additionally each user would have their own credentials and two-factor authentication configuration, no more sharing credentials. I'm guessing it's possible because it's essentially the same as the new remote access keys but with a username/password instead.
Edit: I've just come across this request which appears to be similar to what I've mentioned here. I'll vote on that request, but I think those who have voted on this request should also consider multi-user support as an alternative resolution to the problem in some scenarios.
I think a better feature than this would be to simply have multiple root-level user support. It makes sense from a security perspective — you would now know exactly who has signed in and performed which actions. Additionally each user would have their own credentials and two-factor authentication configuration, no more sharing credentials. I'm guessing it's possible because it's essentially the same as the new remote access keys but with a username/password instead.
Edit: I've just come across this request which appears to be similar to what I've mentioned here. I'll vote on that request, but I think those who have voted on this request should also consider multi-user support as an alternative resolution to the problem in some scenarios.
Replies have been locked on this page!