Licensing restrictions on personal/personal plus discourage cybersecurity best practices

[geekgirl]

Currently the personal and personal plus licenses limit accounts to 1 and 2 respectively. This includes the SINGLE admin account. These licenses are intended for personal OR small business use and not for reselling. That makes sense, and the license fees are reasonable for the intended uses. HOWEVER, even in a small business, there needs to be >1 person (number depends on the size of the business) with admin access to all business critical services so if that admin gets hit by a bus, someone else can keep the business services running. That is simply good business practice.

As is, the DirectAdmin licensing policy discourages users from following cybersecurity best practices. By including admin accounts in the limits (of only 1 or 2 users), the policy encourages the sharing of administrative account login credentials and discourages the use of 2FA. That is, for a team of 3 admins to use DirectAdmin under one of these licenses, they would all have to share the same admin account, and since 2FA is tied to a specific device (and 3 users cannot have the same physical device), then 2FA must be disabled in this scenario. Every administrator should have their own account which can be monitored/audited. Furthermore, it is well understood today that password-only authentication is DANGEROUS and easily breached and that 2FA (while not perfect) should be used everywhere possible.

I'm requesting that these licenses support a reasonable number of admin accounts (at least 3) and a limited number of normal user accounts. Personal could support zero non-admin accounts and personal plus could support one non-admin account (as they do now). This would meet the goal of the licenses which is that they be used for small businesses but not be used by big resellers while supporting the use of good cybersecurity practices.

FYI. I send this into the feedback.directadmin.com system in early March, but got no response whatsoever.

Thank you.

 

[DirectAdmin Sales]

While personal licenses might be suitable for some small businesses (e.g. a single IT person managing a website), they are certainly not intended for teams. A team should see that a Personal license is unsuitable for their needs, and select a different license instead.

Of course, ongoing feedback is welcome so we invite others to post here and/or up-vote your official suggestion here:

Request for license admin account limit changes - Feature requests - DirectAdmin Feedback

Currently the personal and personal plus licenses limit accounts to 1 and 2 respectively. This includes the SINGLE admin account. These licenses are intended for personal OR small business use and not for reselling. That makes sense, and the license fees

feedback.directadmin.com

Maybe this forum post will spark more interest in the topic.

We believe our Personal licenses are a very good value and don't encourage dangerous activity, but we'd like to hear what others have to say.

 

[geekgirl]

I would suggest that no website anywhere should be managed by a single person. Even for personal site, my spouse needs access. We don't share accounts. I'm a cybersecurity professional and know better...

 

[Richard G]

I'm a cybersecurity professional and know better...

Then you should also know the more access the more risk. It's 50/50 at least especially for personal sites. Not everybody has a spouse and if one would like to give anyone else access.... they should be very very trustworthy.
Next to that, in DA an admin can adjust another admin so it doesn't matter if you have 1 or 3. They can do the same. Unless you create less options for the others, which makes the use of extra accounts obsolete again.

If I'm not mistaken, for 2 FA one can also choose for an authentication application.

Ofcourse you can suggest, but imho that is just the reason why you did not get a response since early march.
Maybe now you might get a few more, but maybe rather because people would like more accounts than out of security thoughts.
Just my 2 cents.

 

[geekgirl]

Then you should also know the more access the more risk.

Not always, no. It completely depends on WHO has access. Availability is a cornerstone of security (along with confidentiality and integrity). The risk of failing availability with only one person having access is high. Multiple admins lowers that risk. As such, good business and security practice always gives access to more than one person in the event that 1) the one person gets locked out, 2) the one person gets hit by a bus, or 3) the one person turns malicious. Each person should get a unique account so you can audit what is done and by whom. Password sharing is a no-no.

Not everybody has a spouse and if one would like to give anyone else access.... they should be very very trustworthy.

I never said otherwise. That doesn't mean that someone else shouldn't have access.

Next to that, in DA an admin can adjust another admin so it doesn't matter if you have 1 or 3. They can do the same. Unless you create less options for the others, which makes the use of extra accounts obsolete again.

Um, no... It doesn't work like that. First, the ONE account allowed is what is used to LOG IN to DA. So if am using 2FA (as I should) and I get kidnapped or die or whatever, no one else can log into DA to create a new admin account. Second, DA won't let you do much of anything if you are over the account limit. My only option is to drop 2FA and give the logon credentials to the other trusted party. That is a no-starter.

If I'm not mistaken, for 2 FA one can also choose for an authentication application.

Sorta, but it doesn't work the way you are thinking. Yes, I can choose a OTP application such as Google Authenticator (or other). But, DA doesn't support SMS text (it shouldn't), Yubikeys, etc. It only supports OTP apps. When you set up your OTP app, you create a one-to-one relationship between the OTP app instance on your phone and the DA instance on the server. My combined app/phone *instance* is registered with the authentication service for the DA instance on my server as part of the process of setting up the 2FA. If the trusted other person installs the same OTP app on his phone, it isn't registered with the server, so he will always fail to authenticate (and no, you cannot register two different OTP app instances with the same account at the same time -- when you register the second, it drops the first.) This is part of the security. You don't want just anyone being able to install the same OTP app and get into your server. That would defeat the purpose. 2FA is set up on a PER ACCOUNT basis, which is why multiple accounts are needed.

Maybe now you might get a few more, but maybe rather because people would like more accounts than out of security thoughts.

Personally, I'd rather see a licensing option for a much smaller number of domains and more admin accounts. I'm using DA for a really small pet project that has far less than 10 domain names. I just don't need that, nor do I need anything in the Pro Pack. I just need basic administration capability with backup admin accounts. Buying a large license that has tons of bells and whistles that aren't needed just to get more admins is really a no starter. I have to pay for this out of my own pocket.

Perhaps an ala carte license would be worth thinking about. Pay an extra $1/month for each added admin account or domain over some really small base amount.

 

[fln]

@geekgirl, we are sorry personal license does not work for you. There are also lite and standard license types for advances users. Licenses can be managed in the client area.

 

[geekgirl]

@geekgirl, we are sorry personal license does not work for you. There are also lite and standard license types for advances users. Licenses can be managed in the client area.

Repeat: "I'm using DA for a really small pet project that has far less than 10 domain names. I just don't need that, nor do I need anything in the Pro Pack. I just need basic administration capability with backup admin accounts. Buying a large license that has tons of bells and whistles that aren't needed just to get more admins is really a no starter. I have to pay for this out of my own pocket."

 

[sparek]

I'm a little confused here.

When you say "admin account" what exactly are you referring to?

What specifically does an "admin account" have access to in this context?

 

[geekgirl]

When you create accounts in your DA dashboard, there are two types: admins and normal users. Admins can create other users. Normal users cannot. Admins have a bunch more options and can administer the server. User accounts administer websites. Admin accounts count against the total user account limit.

 

[sparek]

Do you mean resellers?

As far as I know - there can be only one "admin" per DirectAdmin install.

The admin user can create resellers or normal users.

The reseller user can create normal accounts but can't create other resellers.

I'm not aware of multiple admin users.

This follows the similar approach that Linux takes, there's only one root user.

While I can appreciate the contingency of what to do if something happens to the one admin user or one root user - from a security standpoint it's really best to leave this level of access to one sole individual. If you have 50 root users and you wake up one day and the whole file system has been deleted... chances are it was probably one of those root users... but which one? Keep that level of access to one individual and the whole file system is deleted... then you kind of know who did it.

Perhaps you need to consider building your own interface and using login keys. This way you can build your own authentication system for "not-quite-admin-level" users and based on that validation system, use the login key(s) to perform the stated action.

Of course, there's always the tried and true method of... "if you need something done with admin privileges email me and tell me what you need done and I'll determine if it's warranted and do it if necessary" option. There really shouldn't be a lot of stuff that multiple people need to be able to do that requires admin level access.

 

[Richard G]

I never said otherwise. That doesn't mean that someone else shouldn't have access.

No one else should have access if no other trustworthy person is to be found.

First, the ONE account allowed is what is used to LOG IN to DA.

That's contradictory imho, you just stated that you want to give others access too. So it's either sharing 1 admin account, or using for example 2 or 3 and then it IS working like I said, the other admin can change other admin accounts or even log in to them via DA, no need for 2 FA in that case.
So with 3 people having access, there are 3 possible hack options.
Indeed with 2FA via OTP apps, that would be a lot more difficult.

Anyawy, I didn't want to start a discussion with you, just wanted to share my point of view. And other panels do not provide such option either, except for the more expensive licenses, which is understandable in my point of view.

At least you are wrong about 1 point:

personal plus licenses limit accounts to 1 and 2 respectively. This includes the SINGLE admin account.

Personal license will dissapear in August. The Personal Plus license has 2 accounts, which -by default- has one admin account. But it's possible to make a second admin account. So then you have the two you would like.
You can't just use any customers anymore on that then, but that is not what these licenses are intended to do.

 

[Richard G]

As far as I know - there can be only one "admin" per DirectAdmin install.

The admin user can create resellers or normal users.

No, there can be multiple. Admin user can also create other admin or upgrade user to admin. Or they must have changed that on the personal plus account, but in other licenses it's not a problem anyway.

 

[geekgirl]

This follows the similar approach that Linux takes, there's only one root user.

Actually, the Linux model changed many years ago because of this very kind of issue. Linux has super users (su) who are authorized to execute privileged commands as root. Admins log on using individual accounts and then su to perform administrative tasks. Root is typically limited so you cannot SSH or log on directly to it. This is a safety/security measure to prevent remote root access from unauthorized individuals. This model allows each admin's activity to be separately monitored.

BTW. DA Admin accounts are su users. They aren't root.

While I can appreciate the contingency of what to do if something happens to the one admin user or one root user - from a security standpoint it's really best to leave this level of access to one sole individual.

I respectfully disagree. That is not how industry does it, nor is it recommended from a security standpoint.

If you have 50 root users and you wake up one day and the whole file system has been deleted... chances are it was probably one of those root users... but which one? Keep that level of access to one individual and the whole file system is deleted... then you kind of know who did it.

Um. No. I cannot imagine any organization of any size (other than perhaps an ISP) needing 50 root users. You don't want just one either, for reasons previously stated.

Of course, there's always the tried and true method of... "if you need something done with admin privileges email me and tell me what you need done and I'll determine if it's warranted and do it if necessary" option. There really shouldn't be a lot of stuff that multiple people need to be able to do that requires admin level access.

And if that one user is unavailable either temporarily or permanently?

 

[geekgirl]

No one else should have access if no other trustworthy person is to be found.

I do not disagree entirely. However, this does not negate the need for additional admin accounts to ensure availability. At a minimum, put one in escrow and lock it up so someone can get back in on an emergency basis.

That's contradictory imho, you just stated that you want to give others access too. So it's either sharing 1 admin account, or using for example 2 or 3 and then it IS working like I said, the other admin can change other admin accounts or even log in to them via DA, no need for 2 FA in that case.

Right, it's either sharing one admin account or having multiple. I'm asking for the latter.

How does an admin log someone else in to DA?

So with 3 people having access, there are 3 possible hack options.
Indeed with 2FA via OTP apps, that would be a lot more difficult.

Yes, 2FA should always be used, and most especially for admin accounts that have god-like power.

Personal license will dissapear in August. The Personal Plus license has 2 accounts, which -by default- has one admin account. But it's possible to make a second admin account. So then you have the two you would like.
You can't just use any customers anymore on that then, but that is not what these licenses are intended to do.

Yes, I am aware. At a cost of 250% more to get services I don't need. I don't need the Pro Pack. I don't even need 10 domains. I really just need basic administration capability with backup admin accounts (plural).

 

[sparek]

Actually, the Linux model changed many years ago because of this very kind of issue. Linux has super users (su) who are authorized to execute privileged commands as root. Admins log on using individual accounts and then su to perform administrative tasks. Root is typically limited so you cannot SSH or log on directly to it. This is a safety/security measure to prevent remote root access from unauthorized individuals. This model allows each admin's activity to be separately monitored.

I think you're talking about sudo. su has been around since... the inception of Linux? su stands for switch user or substitute user. It allows a user to switch into another user. A non-root user will have to know the password of the user they are switching to.

sudo on the other hand allows users to run certain commands as another user (doesn't have to be root). This is all defined within the sudoers file or in sudoers.d directory. This in effect is essentially creating that login key API interface I was talking about. Because you can define in the sudoers file what commands a specific user can run and as what user. You're not really creating additional root users with the sudoers file, you're just simply allowing certain users to run certain programs as root (or whatever user you want them to run the program as).

I think as far as the DirectAdmin restrictions go - I think there just has to be a wall to which those restrictions come up against. The user limit on the personal licenses being one such wall. Should the user limit be increased? That's debatable. But no matter what number it comes to, there's always going to be a case for more. Where does it stop? At some point you have to bite the bullet and either keep the number of users at or below the limit and enjoy a cheaper license. Or pay for a higher priced license.

From an economic and capitalist point of view, I'm sure this is the very reason why DirectAdmin chose that number of accounts for the cheaper personal license. Probably if you could really get a truthful answer from the DirectAdmin sales people, they'd tell you that they'd prefer not to offer the personal licenses at all - they don't make as much money on them. So there's really no incentive for them to raise the number of users allowed on those licenses.

 

[sparek]

Yes, I am aware. At a cost of 250% more to get services I don't need. I don't need the Pro Pack. I don't even need 10 domains. I really just need basic administration capability with backup admin accounts (plural).

While this probably goes beyond the scope of this forum, is there any particular reason why you are tied to DirectAdmin? There are other control panels with administrative capabilities out there not named DirectAdmin. Some may even be free.

 

[Richard G]

How does an admin log someone else in to DA?

As I'm not native English, I do not exactly understand what you are asking. Is it how an admin logs in as somebody else in DA?
If yes, then it's just list users or list administrators, click on the user and you get a "login as ...." option.

Yes, I am aware. At a cost of 250% more to get services I don't need.

Well... that's your choice. You can keep the current version as long as you pay, but that license is just limited to 1 admin account, it always has been and I know lots of people, including forum and small website admins which loved that DA came up with this kind of license.
It pushed other panels (at least CP) to also bring out something similar, which is an improvement for people with a little wallet. Better protection against spammers also than setting up a VPS themselves with little knowledge or maybe a hackeble panel too.

It's software and it's like other software and everything else (TV, cars), the more options you want, the more you pay. It's just business.
And for the customer a question of choosing what he wants or which quality he wants, in your case you could just as well use Centos Panel, don't expect to sit on the first row for a dime. Because that's the impression you're giving at the moment, sorry about that.

they'd tell you that they'd prefer not to offer the personal licenses at all

That's certainly not true as DA is the first to have introduced such license. If they didn't wanted to offer it, they would not have introduced such license to begin with, because they were the first. I rather think there was too much fuzz made about not having pro pack by some, and about not being able to use more accounts by company's, while the intention was in fact for hobbyists and small company's.

Development needs to be payed, they didn't want another "lifetime license" debacle with the cheap ones to, so I really think that is the reason they created the personal plus next to it. This will be supported with newer features, hence more payment just like other licenses. Employees don't work for free. And it's a difference of only $ 36 a year try to pay somebody from that.
Then they are rid of the complaints about the difference and can develop all existing licenses in the same way. Which is why the legacy licenses to not get any new features anymore either. And that part is just business indeed. And fair imho.

 

[geekgirl]

While this probably goes beyond the scope of this forum, is there any particular reason why you are tied to DirectAdmin? There are other control panels with administrative capabilities out there not named DirectAdmin. Some may even be free.

Well, that is a good question. I chose DA because it (at the time) provided closer to what I needed at an affordable price. That all changed. If I'm going to be forced into a higher priced licensing option just to get one option that I need, then I might as well look at other options.

 

[geekgirl]

As I'm not native English, I do not exactly understand what you are asking. Is it how an admin logs in as somebody else in DA?
If yes, then it's just list users or list administrators, click on the user and you get a "login as ...." option.

That assumes 1) the other person is standing physically next to you and can get hands on your keyboard, and 2) you have ***more than one account***. The first does not meet my requirements. Fixed physical offices are a thing of the past in many places. If I have the second, I can simply give the additional accounts admin privilege to create my backup accounts. That's all I'm asking for.

It's software and it's like other software and everything else (TV, cars), the more options you want, the more you pay. It's just business.

Therein lies the problem. I repeat: I don't want more options. I don't need Pro Pack. I don't need 10 domains. I just need backup admin accounts. That is actually LESS options.

Development needs to be payed, they didn't want another "lifetime license" debacle with the cheap ones to, so I really think that is the reason they created the personal plus next to it. This will be supported with newer features, hence more payment just like other licenses. Employees don't work for free. And it's a difference of only $ 36 a year try to pay somebody from that.

I do not disagree. I get paid for what I do, and so should other professionals. And, DA can, of course, decide to do what they want. It's their software.

The issue I have is with forcing people into buying more options they do not need (at a 250% increase) yet not providing the options they do need to operate securely. The DA licensing scheme (at the low end) does in fact encourage poor security hygiene, and the fact that this was pointed out and dismissed here is quite chilling. Out of fairness, I will also point out that CP does the same thing. DA could be better and lead the way, but they apparently won't consider it. Until the community shifts mindset, we are going to continue to have an epidemic of unsafe computing. You, yourself, argued against the need for 2FA to prevent unauthorized administrative access through password cracking, so thank you for making my point. In my security monitoring, I see that the vast majority of attacks coming from hijacked ISP rent-a-servers that are managed by CP and DA and the likes. I see that more than home computers. This really needs to stop. Password cracking is but one attack vector; we should take all vectors off the table that we can.

Perhaps, as was previously suggested, I should just roll my own. Or, I'll just go find a different solution. In any case, this experience has really turned me off to DA.

 

[geekgirl]

I think you're talking about sudo. su has been around since... the inception of Linux? su stands for switch user or substitute user. It allows a user to switch into another user. A non-root user will have to know the password of the user they are switching to.

sudo on the other hand allows users to run certain commands as another user (doesn't have to be root). This is all defined within the sudoers file or in sudoers.d directory. This in effect is essentially creating that login key API interface I was talking about. Because you can define in the sudoers file what commands a specific user can run and as what user. You're not really creating additional root users with the sudoers file, you're just simply allowing certain users to run certain programs as root (or whatever user you want them to run the program as).

Sorry. I meant sudo. Correct: you aren't creating additional root users. I didn't say that you were. It works as I explained. Admins are in the sudo group. By default, sudo users can execute any privileged commands that normally require root privilege without having the root password. They can also "sudo su root" without the root password. Here's a default sudo config file:

me@server:~$ sudo cat /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d

Sudo is the standard way of giving someone admin privilege on a Linux host now. You don't give out the root password. Each person has a unique account in the sudo group that can be tracked. Account login, sudo, and other activity is logged to files in /var/log. For example, in auth.log:

Apr 15 13:35:04 server sudo: me : TTY=pts/1 ; PWD=/home/me ; USER=root ; COMMAND=/usr/sbin/usermod -aG sudo you
Apr 15 13:35:04 server sudo: pam_unix(sudo:session): session opened for user root by me(uid=0)
Apr 15 13:35:04 server usermod[2555679]: add 'you' to group 'sudo'
Apr 15 13:35:04 server usermod[2555679]: add 'you' to shadow group 'sudo'
Apr 15 13:37:01 server sudo: me : TTY=pts/1 ; PWD=/home/me ; USER=root ; COMMAND=/usr/bin/cat /etc/sudoers
Apr 15 13:37:01 server sudo: pam_unix(sudo:session): session opened for user root by me(uid=0)
Apr 15 13:37:01 server sudo: pam_unix(sudo:session): session closed for user root
Apr 15 13:40:45 server sudo: me : TTY=pts/1 ; PWD=/var/log ; USER=root ; COMMAND=/usr/bin/su root

I can see that I added "you" to the sudo group, so that security-relevant event was recorded. I can also see that I viewed the /etc/sudoers config file and then did an "sudo su root". I know who changed the system and how they changed it. If there is only one admin account that multiple people use, then I have no idea who made the change.