Give SSH (Shell) Access to a cPanel Account Without Root โ
Sometimes a client needs SSH access to their hosting account โ to run Composer, wp-cli, Git, cron scripts, or database imports. You can grant this without ever handing out root. On our servers CloudLinux CageFS is what confines the account: every user is already locked into a virtualized filesystem (their own home plus a safe skeleton of /bin, /usr, etc.), so they cannot see other accounts, read server-wide config, or reach root. You just enable a shell for the account and CageFS does the jailing.
Regular Shell vs Jailed Shell vs Disabled โ
WHM offers three shell modes per account (Account Functions โ Manage Shell Access):
| Mode | What the client can do | Use it when |
|---|---|---|
| Normal / Regular Shell | A shell as their own unprivileged account user. On CloudLinux, CageFS already confines them to their own account. | This is the way on CloudLinux servers โ CageFS provides the isolation. |
| Jailed Shell | cPanel's own jailshell confinement to the home directory. | Only on cPanel servers without CloudLinux/CageFS. |
| Disabled Shell | No interactive SSH login at all. | The default for accounts that don't need SSH. |
Step 1 โ Enable the shell in WHM โ
- Log into WHM at
https://YOUR_SERVER_IP:2087. - Go to Account Functions โ Manage Shell Access.
- Find the account in the list and set its dropdown to Normal / Regular Shell (CageFS handles the confinement). On a non-CloudLinux server, choose Jailed Shell instead.
- Click Save. The change takes effect immediately โ no restart needed.
Step 2 โ Authorize the client's SSH key โ
For security, our servers use SSH key authentication (password logins over SSH are typically disabled). Have the client generate a key pair on their own computer and send you the public key, then authorize it inside their cPanel:
- Log into the account's cPanel at
https://YOUR_SERVER_IP:2083(or switch into the account from WHM). - Go to Security โ SSH Access โ Manage SSH Keys.
- Click Import Key, paste the client's public key, and save. (Or click Generate a New Key to create one here and hand the client the private key over a secure channel.)
- Back on the Manage SSH Keys page, find the key under Public Keys and click Manage โ Authorize.
Step 3 โ The client connects โ
The client connects with their cPanel account username (not root) and the authorized key:
ssh -i /path/to/private_key cpanelusername@YOUR_SERVER_IP -p 22Replace 22 with your server's custom SSH port if you changed it. Once in, they land in their own home directory, confined by CageFS:
whoami # -> cpanelusername (never root)
pwd # -> /home/cpanelusernameEnabling shell for new accounts โ
Shell access is a per-account setting โ it is not stored in a hosting package, so creating an account from a package will not grant shell automatically. Two options:
- At creation: on Account Functions โ Create a New Account, tick Shell access in the Settings section.
- Any time after: use Manage Shell Access as in Step 1.
Revoking access later โ
To take shell access away, set the account back to Disabled Shell in Manage Shell Access, and/or Deauthorize the key under Manage SSH Keys. Both take effect immediately for new logins.

