Server Security

SSH Root Logins, Privilege Escalation and Server Security in cPanel

As you dig deeper into server administration, you’ll eventually need to log into your server via SSH as root. Logging into your server as root allows you to easily accomplish many tasks, but it demands a certain level of security precaution.

SSH root logins offer a huge potential security vulnerability. The root user is the administrative user of a server and has full access to the server. If compromised, the root account provides the malicious user with complete control. Anyone logged into a server with root access can write, erase, edit, upload or download any file. It is an all-access pass to your server, and simply guarding your root password isn’t enough to protect yourself.

There are two ways to mitigate this security concern.

SSH Key Authentication

As discussed in a previous article, SSH key authentication limits root access to only those people on computers with the correct authentication key.

Escalating users to root

The second option is to disable direct root access and configure one or more regular SSH accounts such that users can escalate their privileges to the root level. This provides an extra layer of security, eliminating the possibility that a server can be compromised simply by stealing the password for user: root.

Disabling SSH root logins

Because of the security risks inherent in direct SSH root access, nearly all VPS packages, including ServInt Cloud VPS accounts, will be delivered with direct root access disabled by default. If, for some reason, this is not done by your host, you will need to do disable it from the command line in /etc/ssh/sshd_config. Ask your host for more details before editing this file.

Configuring SSH root escalation for cPanel users

Configuring SSH root escalation for a user in cPanel can be accomplished for any server with SSH access by simply adding that cPanel account to the Wheel Group. To do so:

  1. Log into WHM
  2. Navigate to Security Center » Manage Wheel Group Users
  3. Choose the cPanel user and then click Add to Group.
  4. Once done you will need to restart SSH from WHM via Restart Services » SSH Server (OpenSSH).

Configuring SSH root escalation for non-cPanel users

To configure SSH root escalation for a non cPanel user, you will need to add that user to the wheel group in WHM (above) and then complete one other step: editing the passwd file of your server.

  1. Log into the server with root access
  2. Open the passwd file (located in /etc/passwd)

Note: if you do not know how to open and edit a file directly on the command line, you can learn how to use an editor such as nano.

  1. Each line of the file is for one user. Locate the user you are granting access to and edit the text of that line changing /bin/false to /bin/bash.
  2. Restart SSH service either through WHM as outlined previously or using the command “sshd restart”.

Escalating to root as a superuser

With these steps complete, the user can now escalate to root when logged into the server via SSH with their standard credentials. Once logged into the server via SSH, the user simply types the command “su” (superuser) and hits Return. The user will be prompted for the root password and when entered correctly will become the root user.

As always, if you have any questions, or if you wish to configure a non cPanel server for SSH escalation to root privileges, please fill out a ticket in your customer portal.

Find out more about ServInt solutions

Starting at $25

  1. Need to log into your server as #root on the command line? Learn how to do it securely in this week's #TechBench.
  2. Increase your server security by disabling direct root access and creating superusers, in this week's #TechBench.
  3. [...] another techbench blog article for my company, which they have published.  You can find it here: It covers how to set up an SSH user with root escalation privileges on a WHM/cPanel server.  This [...]
    How To: SSH Logins With Root Escalation | Etterack /
  4. SSH Root Logins, Privilege Escalation and Server Security in cPanel
  5. SSH Root Logins, Privilege Escalation and Server Security in cPanel
    servermanagedit /
  6. Configuring root SSH escalation privileges in #cPanel, in this week's #TechBench.
  • Hosting Advice
  • Computer World
  • Ars Technica

  • The New York Times
  • The Seattle Times
  • Bloomberg
  • The Hill

To engage with the ServInt Sales Team use the following chat icon. Normal sales hours are Monday-Friday 9am-5pm EST but feel free to leave a message and we will follow up as soon as possible.

Sales Chat

To engage with the ServInt Support Team you must be logged into our Customer Portal for identity verification and have a ticket opened about your request or there will only be limited support offered.

Support Chat