Subreseller
- Thread starter arazit
- Start date
nobaloney
NoBaloney Internet Svcs - In Memoriam †
You can if you get a dedicated server set up so you can offer VPS solutions.
Jeff
Jeff
I think this needs to be implemented for security reasons. I don't feel like giving out admin access to my billing app so it can make resellers..
Edit: or, as suggested by a good friend of mine, DA should initiate key auth for apps like WHMCS.. instead of giving out a user/pass like this.. or both! just the key will satisfy me as well.. but both is a win-win.
Edit: or, as suggested by a good friend of mine, DA should initiate key auth for apps like WHMCS.. instead of giving out a user/pass like this.. or both! just the key will satisfy me as well.. but both is a win-win.
Last edited:
Richard G
Verified User
Just a comment. This has nothing to do with any security issue.
I don't think there is any control panel out there, which let's resellers make other resellers. Admins make resellers. Resellers make clients.
So if the reseller want's to resell, he has to invest and become an admin by getting his own dedicated server.
Or like Jeff says, you could think about VPS systems, then it's possible. In fact they are getting their own admin account then on their vps, and can make resellers.
Then there should be some ACL system so if someone gains access to taht admin user they can't compromise all of my system.
Richard G
Verified User
There is a login strike-out system for the admin account.
It would be nice if there would be a possibility to limit the admin part to a certain ip address or something, maybe there is, I don't know. But this brings up the problem how to connect when your ISP at home changes your ip. Because there are enough people who work from their home and don't have an office.
In that case SSH needs to be used, but if that is protected by ip you have another problem coming, how do you want to get to your server again then?
I'm not sure if SSH keys overrule iptables ip restrictions to the SSH port but I don't think so.
So when having these things in mind, which kind of ACL system were you thinking off? You still might have a good idea about it which can be used for feature request.
However, this was not your original question, so sorry if I went to much off-topic.
It would be nice if there would be a possibility to limit the admin part to a certain ip address or something, maybe there is, I don't know. But this brings up the problem how to connect when your ISP at home changes your ip. Because there are enough people who work from their home and don't have an office.
In that case SSH needs to be used, but if that is protected by ip you have another problem coming, how do you want to get to your server again then?
I'm not sure if SSH keys overrule iptables ip restrictions to the SSH port but I don't think so.
So when having these things in mind, which kind of ACL system were you thinking off? You still might have a good idea about it which can be used for feature request.
However, this was not your original question, so sorry if I went to much off-topic.
nobaloney
NoBaloney Internet Svcs - In Memoriam †
@Dougy:
Why not disallow automatic configuration of reseller accounts? Then you can vet them first, and set them up manually.
Jeff
Why not disallow automatic configuration of reseller accounts? Then you can vet them first, and set them up manually.
Jeff
My company is certainly not at the size where this is not doable, but in the event I ever get there (dozens of accounts a day).. it's not viable.
nobaloney
NoBaloney Internet Svcs - In Memoriam †
In my opinion when you're at the point of getting dozens of reseller accounts daily it will become more important that you vet your reseller accounts; since they can be easily used by people unknown to you, to set up lots of their clients, unknown to you.
We don't get dozens of reseller accounts daily. We certainly do want to have at least a passing acquaintance with our resellers, since they have a lot of control over what gets hosted on our servers.
And you should carefully manage your admin account: always use SSL and SSH logins and long, complex, non-meaningful passwords for the admin user.
DirectAdmin itself is very secure. And nothing really runs as admin in the system, so admin, by itself, isn't really a security risk. To the server (linux or BSD), it's a normal unprivileged user.
Jeff
We don't get dozens of reseller accounts daily. We certainly do want to have at least a passing acquaintance with our resellers, since they have a lot of control over what gets hosted on our servers.
And you should carefully manage your admin account: always use SSL and SSH logins and long, complex, non-meaningful passwords for the admin user.
DirectAdmin itself is very secure. And nothing really runs as admin in the system, so admin, by itself, isn't really a security risk. To the server (linux or BSD), it's a normal unprivileged user.
Jeff