One line (or more) command line via CP

SeLLeRoNe

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,643
Location
A Coruña, Spain
Hi,

last week it happend to me that i did a server update (CentOS) and ssh cannot start anymore cause openssl version issue (need to rebuild from update.script) but i wanst ofc able to log into server (da was working fine) so here my idea...

Would be nice have a place in CP where to run (as root with password required) a single command line (or more but single would maybe be easyer) where sysadmin can run command for diagnostic or solve problem (where possible).

Example, in my case was just enough run:
cd /usr/local/update.script && ./update.script OPENSSL && /etc/init.d/sshd restart

This command for sure was going to help me to solve this problem pretty fast instead the need to phisically log into the box directly with keyboard.

Can be done? Is it suggested? Maybe a directadmin.conf value for enable/disable it would be usefull for improve security.

Any hint?

Best regards
 
Did the update script work for you? I had a similar problem recently on a very old box (I still had a shell open so I was still in the server) and I ended up moving all the sites to a never server, because even manual install wouldn't work; the server was running an old version of CentOS and I couldn't even rebuild SSL from source.

Jeff
 
Yes, update.script did the job correctly and i was able to restart sshd.

If compile openssl didnt work in your case you should think to recompile openssh aswell.

Regards
 
Hello,

I'm fairly hesitant to adding root capabilities for Admins.

1) Even though the directadmin.conf needs root authentication.. it would only take the editing of edit_files.txt by mistake to remove the secure=yes option, which then allows editing the directadmin.conf.

2) We could consider it (feedback welcome) but would need a solid way to ensure that it's only enabled if root truly wants it enabled, and would likely be something that cannot be enabled through DA itself (only ssh ahead of time).
For example, create a file
Code: 
echo 1 > /root/.root_in_da
where the ownership must be root... or something like that.

3) Note, this could alternatively be something for a plugin.
The "install" step of a plugin does have root access. (suid binaries if post-install commands, or a plugin to do something specific only at plugin-install time)

4) Or... have a secret word stored in the license file... that work can only be obtained via your /clients section?..
Slightly more complicated, and would need a new license download...
Could have a new random value for each download.
This would ensure that only the person who owns the license could turn it on... and only if they have access to both "admin" and the /clients section.

John
 
Hi John,

thanks for take time to consider this idea.

I think your 4th way should be pretty nice, of course this is just for "emergency" case and every admin will have to keep in mind that is at his own risk.

Also, use an SSL cert would ensure that the password is encrypted and secure, but, for who (like me for example) that have no an SSL Cert per Server would be nice to have an auth-key provided by your customers area to put in a dedicated area in DA CP where to "allow once veryfied the license/auth key against your server" that enable this function (also should be done with a time limit, lets say 5/10mins).

I can understand is a risk and i would also consider your 2th way so once an admin is doing a mantainence can enable it till mantainance is done, or, also keep it active at startup and delete the file after 30mins (or less) if no action taken.

Regards
 
Every time when ssh was for any reason locked from accessing from outside, it's a question of 5-10 minutes to execute any code from root if I have root password and admin access into directadmin.

That is what can be done:
1. add root crontab file into edit_files.txt
2. create a shell script in admin directory
3. add path to the script into root crontab file
4. wait...

So that's it.

A command line might be a good solution, but I would not like to have it ON by default. And I don't like to have it ON for any other admins on my servers either.
 
DirectAdmin Support said:
4) Or... have a secret word stored in the license file... that work can only be obtained via your /clients section?..
Click to expand...

So if I rent directadmin with a server, I won't be able to learn the secret word, and won't be able to change it. And techs from a DC from which I buy a server will know the secret word. Maybe I'm kinda paranoiac...but I'd prefer them not having this ability.
 
What about a authcode to paste inside DA once logged in with a process that check the validity and enable this function for a limited time?

Regards
 
Sorry Alex i did not read the crontab workaround, thanks for sharing that, honestly.. i did never thot about that ^^

Regards
 
SeLLeRoNe said:
use an SSL cert would ensure that the password is encrypted and secure, but, for who (like me for example) that have no an SSL Cert per Server
Click to expand...
I'd strongly suggest using a Secure Cert for DirectAdmin login to the admin area. There are several ways to do it without spending money.

One would be to simply install a self-signed Certificate. This would work either if you don't allow client access to your control panel, or if you do, and you don't mind telling your users that they'll need to accept a Self-Signed Certificate 'forever' when they first log into your system.

Another, a bit more complex, is to use a Secure login on port 2222 with a self-signed Certificate, and only use it yourself (of course you'll need to accept the Certificate the first time), and for your users set up insecure login on another port, say 8090, 81, whatever).

And of course you can buy a cheap commercial Certificate. I'll soon be offering a low priced Secure Certificate for port 2222, including installation; look for my advert in the forum advertising section. And there are of course other sources for low priced Secure Certificates you can install yourself.

Jeff
 
If using SSL certs....you want to save your money, then www.startssl.com is a right choice for you, as they offer free certs, which are good enough for the beginning.

What about a authcode to paste inside DA once logged in with a process that check the validity and enable this function for a limited time?
Click to expand...

Though it might be useful sometimes... and I know some panels (VPS panels, different hardware routers managing panels) allow that, I'd prefer not to have that. But if to speak about how to protect this, imho that should be OFF by default, and probably we would need to specify admin name somewhere in config, who would be the only one to have permissions to run shel commands in directadmin, and of course there might be a need to enter root (or special) password once per session or with every command executing.
 
Yes i know an thanks for both your suggestions.

Till now it never did happend that somehow directadmin get hacked so i feel pretty secure but i totally agree about the need of ssl cert.

The fact is that users use directadmin.domain.tld on port 80 to log on their directadmin (same link different domain per user) so i dont know if have any sense take an ssl cert for port 2222 (or in fact if two things can be combined...)

Regards
 
SeLLeRoNe said:
Till now it never did happend that somehow directadmin get hacked so i feel pretty secure but i totally agree about the need of ssl cert.
Click to expand...

Never know from where you might need to connect to directadmin... public WiFi in a coffee house... or a friend's computer. SSL makes it more safe.
 
I use Class 2 Certs from StartSSL. You pay a yearly fee for Class 2, and you can get unlimited certs, even wildcard ones. Quite good really.

Free certs are valid for 1 year.
 
You must log in or register to reply here.
Back
Top