At the moment, in any account transfer via CWP API, it seems to require a remote root login by SSH.
I hope I don't need to remind folks how much of a security risk this is. So let us begin with saying the very design of the process is a massive security bug.
From there, I'm looking to begin some test transfers to CWP on CentOS 9 Stream using the instructions here:
https://docs.control-webpanel.com/docs/admin-guide/user-accounts/cwp-to-cwp-migrationThe source server is CentOS Linux release 7.9.2009 (Core) running CWP Pro 0.9.8.1190 on AWS EC2
The destination server is CentOS Stream release 9 running 0.9.8.1190 on AWS Lightsail
I have created the API key in the source CWP UI.
I have made sure the root user can log in via ssh to the source box.
I set up the configuration in the destination box.
When I click "Test & Save" it errors out with:
"Connection not reached
The following error occurred"
...and no further information.
The /var/log/security on the source box gives me:
Jan 2 12:56:42 [SOURCE] sshd[8008]: Accepted keyboard-interactive/pam for root from [DEST-IP] port 35330 ssh2
Jan 2 12:56:42 [SOURCE] sshd[8008]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jan 2 12:56:42 [SOURCE] sshd[8008]: Received disconnect from [DEST-IP] port 35330:11: disconnected by user
Jan 2 12:56:42 [SOURCE] sshd[8008]: Disconnected from [DEST-IP] port 35330
Jan 2 12:56:42 [SOURCE] sshd[8008]: pam_unix(sshd:session): session closed for user root
Jan 2 12:56:42 [SOURCE] sshd[8019]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=[DEST-FQDN] user=root
Jan 2 12:56:42 [SOURCE] sshd[8019]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Jan 2 12:56:44 [SOURCE] sshd[8017]: error: PAM: Authentication failure for root from [DEST-FQDN]
Jan 2 12:56:44 [SOURCE] sshd[8029]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=[DEST-FQDN] user=root
Jan 2 12:56:44 [SOURCE] sshd[8029]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Jan 2 12:56:46 [SOURCE] sshd[8017]: error: PAM: Authentication failure for root from [DEST-FQDN]
Jan 2 12:56:46 [SOURCE] sshd[8017]: Postponed keyboard-interactive for root from [DEST-IP] port 35338 ssh2 [preauth]
Jan 2 12:56:46 [SOURCE] sshd[8032]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=[DEST-FQDN] user=root
Jan 2 12:56:46 [SOURCE] sshd[8032]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Jan 2 12:56:49 [SOURCE] sshd[8017]: error: PAM: Authentication failure for root from [DEST-FQDN]
Jan 2 12:56:49 [SOURCE] sshd[8017]: Failed none for root from [DEST-IP] port 35338 ssh2
Jan 2 12:56:49 [SOURCE] sshd[8017]: Failed password for root from [DEST-IP] port 35338 ssh2
Jan 2 12:56:49 [SOURCE] sshd[8017]: error: maximum authentication attempts exceeded for root from [DEST-IP] port 35338 ssh2 [preauth]
Jan 2 12:56:49 [SOURCE] sshd[8017]: Disconnecting: Too many authentication failures [preauth]Just previous to this, I see that I CAN log in as root in a PuTTY window:
Jan 2 12:56:36 [SOURCE] sshd[7964]: Accepted keyboard-interactive/pam for root from [DESKTOP] port 52212 ssh2
Jan 2 12:56:36 [SOURCE] sshd[7964]: pam_unix(sshd:session): session opened for user root by (uid=0)So it looks to me like the CWP API transfer is logging in as root then immediately failing to log in as root.
Then PAM complains.
Repeat three times before it fails hard.
So aside from the massive security hole this creates, letting root log in to ssh, the process does not work in CentOS 9 Stream.
Topic: CWP to CWP Account Migration (Read 90 times)
