Scary: Losing SSH access when /etc/passwd gets overwritten

Kal

Verified User
Joined
Nov 18, 2019
Messages
69
Location
Australia
Since version 1.61.0, DirectAdmin advises that adding AllowUsers directives to /etc/ssh/sshd_config is redundant, as SSH access is managed in the /etc/passwd file. (See: No more AllowUsers in sshd_config.) So, following this advice, I went ahead and removed all the AllowUsers lines after making sure the users who needed shell access had it set to /bin/bash in /etc/passwd.

Today however, I was surprised to find that the whole file has been overwritten, with everyone but root and admin set to /bin/false. Thank goodness the admin user still has it, as I have root SSH login disabled! 😬 I breathed a sigh of relief and assumed DirectAdmin would never remove admin's shell access… but I was wrong (read on).

So I figure DirectAdmin overwrites /etc/passwd based on your user settings in the panel. (This comment from @smtalk had led me to think I could control things by editing /etc/passwd directly, but maybe that's not a good idea?) I had user SSH disabled at the Reseller Package level, so I turned it on there and made sure it was turned off in the standard User Packages. Then I went in and modified one of my own users, ticking the SSH Access option. After that, I tried to log in to the shell as the admin user, only to find that admin was now locked out! Logging in as the other user I gave SSH access moments before, and then switching to root, I had another look at /etc/passwd. Sure enough, admin's shell had changed to /bin/false.

I still don't know how admin lost its shell access. Even now in DA if I go to List Administrators > admin > Info, it says SSH is enabled for the admin user. In the Modify tab, SSH access is ticked. So this is weird, and kind of scary. I don't like the thought of being locked out of SSH entirely, depending wholly and solely on my DirectAdmin panel login to rescue things.

I then noticed that the admin user (who is also the sole reseller) had lost its reseller package. I guess this happened when I enabled user SSH at the reseller level. So I selected the reseller package from the drop down, and hit save. Nothing really changed in DA, but the admin user's shell has been restored in /etc/passwd. Phew.

I don't believe I made any cardinal server sins here, and yet I came precariously close to being locked out of the shell due to some unpredictable behaviour on DA's part. I'll leave this here for discussion, and a bit of a warning to be careful when making these kinds of changes.
 
Last edited:

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
9,305
Location
LT, EU
So, following this advice, I went ahead and removed all the AllowUsers lines after making sure the users who needed shell access had it set to /bin/bash in /etc/passwd.
I didn't have this in my mind. Users needing access should have SSH enabled in the package/user options :) Sorry for the confusion.
 

Kal

Verified User
Joined
Nov 18, 2019
Messages
69
Location
Australia
I didn't have this in my mind. Users needing access should have SSH enabled in the package/user options :) Sorry for the confusion.
Thanks Martynas. When you said (in that other thread) 'SSH access can be controlled by setting the shell to /bin/false in /etc/passwd', I took the reverse to be true also… that we can enable access by setting the shell to /bin/bash. For further clarification, should we actually be leaving /etc/passwd well alone, and only managing through the DA panel?

Also, any thoughts on why my admin user got locked out of SSH when I didn't make this change (either in DA or /etc/passwd)? Possible bug?
 

bdacus01

Verified User
Joined
Jul 22, 2017
Messages
1,304
Location
Murfreesboro
To add some questions and thoughts
the install page states
You *must* add "AllowUsers username" to /etc/ssh/sshd_config before you log out from root or you'll lose root on the server forever, and you'll have to format.
Is this needed now?
I had user SSH disabled at the Reseller Package level,
After that, I tried to log in to the shell as the admin user, only to find that admin was now locked out!
Admin is both Admin and Reseller.
control things by editing /etc/passwd directly, but maybe that's not a good idea?)
To me not a good idea. I havent needed to do this yet...
I don't like the thought of being locked out of SSH entirely, depending wholly and solely on my DirectAdmin panel login to rescue things.
Never is a good thought. So hopefully you are not using passwords for root ssh but passphrase keys. Also hopefully the box has a console with your infrastructure provider.
cardinal server sins
We can get sin fixed.. Just need Water.
 

Kal

Verified User
Joined
Nov 18, 2019
Messages
69
Location
Australia
the install page states
Is this needed now?
When I first installed DA, I had direct root SSH access, so it wasn't an issue. I only turned it off once I was all set up. Good question though.

Admin is both Admin and Reseller.
Yes I know. I had user SSH disabled at the Reseller Package level, like this…

Reseller Package SSH settings.png

I never disabled the reseller's SSH access and the admin user never had a problem logging in, until after I enabled SSH Access for Users! I know, it doesn't make any sense. As I said, I did turn off SSH access in the standard User Packages, but again, that shouldn't have affected the admin user.

This does raise another question though… What does happen if you untick that 'SSH Access' option in the Reseller Package? Like you say, admin is both an administrator and a reseller… I'd hope it would not disable admin's SSH access, but I'm not game to try it! 😬
 
Top