Don't let Virtual Server Admins create SSH users

XurxoMF · May 5, 2024, 11:27pm

SYSTEM INFORMATION
OS type and version	Ubuntu 20.04.4
Virtualmin version	7.10.0

My problem is, I created a Virtual Server with the admin with acces to Mail and FTP but not to SSH.

I logges in with that admin user on virtualmin and everything os fine, I have Mail and FTP but no SSH but if I go to Edit Users I CAN create users with SSH permissions…

I’ve been looking and I found a way to disable FTP user creation for admins, so they can’t give FTP permisions(System Settings > Virtualmin Config > Server administrator permissions) but there is no way to disable the SSH user creation for admins.

Is there any way to limit Virtual Server Admin to create user only with Mail, FTP and both but no SSH? Or a way to only let Virtual Server Admins to create users with the selecter custos shells?

stefan1959 · May 5, 2024, 11:42pm

where are you seeing ssh? I don’t have that.

XurxoMF · May 5, 2024, 11:54pm

Literally there hahaha

I’ve the Mail, FTP and SSH option too

I want to have ot exactly like you

stefan1959 · May 6, 2024, 1:11am

Ok, I thought was default access, unless something has changed. It maybe a template or plan setting.

stefan1959 · May 6, 2024, 8:33am

I’ve had a play for a while with plan and template and Virtualmin config and cannot add ssh option for the administrator user when creating a user.
I only get the SSH option as root, so not sure why its showing or not showing.

XurxoMF · May 6, 2024, 9:01am

I’ve been testing thing too. I can disable the shell with SSH but that way I can’t create SSH users as root.

stefan1959 · May 6, 2024, 9:18am

so as root your not seeing this?

XurxoMF · May 6, 2024, 9:30am

Right now yes, but If I disable the shell with ssh perms I’ll not.
If I disable it admin users will not be able to use it… but root will not be able neither xD

Another thing I was looking for it letting admins edit their DNS records, but I’ll check that later.

stefan1959 · May 6, 2024, 9:52am

you could set ssh so authentication can only login with Keys

XurxoMF · May 6, 2024, 10:11am

Its an option… but not exactly what I want

Stegan · May 6, 2024, 11:05am

It is AFAIK, Create User in Virtualmin has the option “Email FCTP and SSH” in that list.

cyberndt · May 6, 2024, 2:28pm

This shouldn’t happen and I can’t even replicate it on my server. Unless you have changed the settings for the admin users in Webmin Users?

I am logged in as the admin of the account with no FTP and no SSH for the admin, only Database and email:
I don’t have a drop down option to change login.

XurxoMF · May 6, 2024, 2:47pm

I changed nothing, it’s a new installed Virtualmin lol

And if that’s the case then there is an option to allow/prevent admins to do that… I need to know which option is it xD

popmay · May 6, 2024, 3:28pm

When I am logged in as admin with full privileges i see this:

What you are asking is complex because of the elevated admin access. It is possible no one has tried to accomplish your exact use case. I haven’t.

This might shed some light. Try making users with access to limited modules.

cyberndt · May 6, 2024, 4:04pm

My notes indicate changing the settings in;

virtualmin->manage virtual server->edit owner limits

while logged in as root user for the server. Use the drop down for the virtual server to change settings for

You can uncheck what ever you don’t want to allow the server admin to change for that account.
Such as Can manage extra admins and so on.

As root or sudo user to the server, change the admin account for the virtualserver to only have email access and it will remove the drop down option to allow others access to ssh and ftp.
The virtualserver admin will always have access to the databases.

Ilia · May 6, 2024, 4:55pm

The virtual server administrator or virtual server owner login type has all standard rules applied defined in Custom Shells. However, the master administrator login (i.e., root) isn’t bound by these rules.

In other words, virtual server owner login type solely relies on whatever is defined in Custom Shells and Allowed login type imposed in Server Owner Limits page.

XurxoMF · May 6, 2024, 8:14pm

I’ll try this ^^

XurxoMF · May 6, 2024, 8:14pm

So if I remove all the custom shells, admins will not be able to assign anything but root will?
I’ll try too.

EDIT: I tried. I disabled the SSH shell and I can’t even make an user have SSH. As root the option dissapear too.

Ilia · May 7, 2024, 12:00pm

According to the topic title, it sounds like you’ve succeeded. Congratulations!

XurxoMF · May 7, 2024, 12:14pm

No I’ve not. I was to be able to make a SSH user but I don’t want other users/admins to create SSH users.
This way I can’t neither xD