Since version 1.61.0, DirectAdmin advises that adding AllowUsers directives to /etc/ssh/sshd_config is redundant, as SSH access is managed in the /etc/passwd file. (See: No more AllowUsers in sshd_config.) So, following this advice, I went ahead and removed all the AllowUsers lines after making sure the users who needed shell access had it set to /bin/bash in /etc/passwd.
Today however, I was surprised to find that the whole file has been overwritten, with everyone but root and admin set to /bin/false. Thank goodness the admin user still has it, as I have root SSH login disabled! I breathed a sigh of relief and assumed DirectAdmin would never remove admin's shell access… but I was wrong (read on).
So I figure DirectAdmin overwrites /etc/passwd based on your user settings in the panel. (This comment from @smtalk had led me to think I could control things by editing /etc/passwd directly, but maybe that's not a good idea?) I had user SSH disabled at the Reseller Package level, so I turned it on there and made sure it was turned off in the standard User Packages. Then I went in and modified one of my own users, ticking the SSH Access option. After that, I tried to log in to the shell as the admin user, only to find that admin was now locked out! Logging in as the other user I gave SSH access moments before, and then switching to root, I had another look at /etc/passwd. Sure enough, admin's shell had changed to /bin/false.
I still don't know how admin lost its shell access. Even now in DA if I go to List Administrators > admin > Info, it says SSH is enabled for the admin user. In the Modify tab, SSH access is ticked. So this is weird, and kind of scary. I don't like the thought of being locked out of SSH entirely, depending wholly and solely on my DirectAdmin panel login to rescue things.
I then noticed that the admin user (who is also the sole reseller) had lost its reseller package. I guess this happened when I enabled user SSH at the reseller level. So I selected the reseller package from the drop down, and hit save. Nothing really changed in DA, but the admin user's shell has been restored in /etc/passwd. Phew.
I don't believe I made any cardinal server sins here, and yet I came precariously close to being locked out of the shell due to some unpredictable behaviour on DA's part. I'll leave this here for discussion, and a bit of a warning to be careful when making these kinds of changes.
Today however, I was surprised to find that the whole file has been overwritten, with everyone but root and admin set to /bin/false. Thank goodness the admin user still has it, as I have root SSH login disabled! I breathed a sigh of relief and assumed DirectAdmin would never remove admin's shell access… but I was wrong (read on).
So I figure DirectAdmin overwrites /etc/passwd based on your user settings in the panel. (This comment from @smtalk had led me to think I could control things by editing /etc/passwd directly, but maybe that's not a good idea?) I had user SSH disabled at the Reseller Package level, so I turned it on there and made sure it was turned off in the standard User Packages. Then I went in and modified one of my own users, ticking the SSH Access option. After that, I tried to log in to the shell as the admin user, only to find that admin was now locked out! Logging in as the other user I gave SSH access moments before, and then switching to root, I had another look at /etc/passwd. Sure enough, admin's shell had changed to /bin/false.
I still don't know how admin lost its shell access. Even now in DA if I go to List Administrators > admin > Info, it says SSH is enabled for the admin user. In the Modify tab, SSH access is ticked. So this is weird, and kind of scary. I don't like the thought of being locked out of SSH entirely, depending wholly and solely on my DirectAdmin panel login to rescue things.
I then noticed that the admin user (who is also the sole reseller) had lost its reseller package. I guess this happened when I enabled user SSH at the reseller level. So I selected the reseller package from the drop down, and hit save. Nothing really changed in DA, but the admin user's shell has been restored in /etc/passwd. Phew.
I don't believe I made any cardinal server sins here, and yet I came precariously close to being locked out of the shell due to some unpredictable behaviour on DA's part. I'll leave this here for discussion, and a bit of a warning to be careful when making these kinds of changes.
Last edited: