Multi-Factor Authentication [case 60148]

[raindog308]

Dreamhost (which is not cPanel-based) announced yesterday that they are adding multi-factor authentication via Google Authenticator as optional for all accounts.

It would be nice if cPanel supported this (Google Authenticator).

cPanel will need to eventually support it - and probably very soon. The concept of multi-factor authentication is rapidly entering public consciousness - YubiKey, Google Apps, even Blizzard's Battle.net now uses multi-factor and "using an authenticator" has entered the common vocabulary.

An option for users to enable multi-factor authentication is a must. I would like to see both Google Authenticator and YubiKey.

[Joriz]

Google Authenticator can indeed be integrated in external systems. It can be even integrated in a SSH login: /https://securityskittles.wordpress.com/2012/03/14/two-factor-authentication-for-openvpn-on-centos-using-google-authenticator/

I did not test this yet. But I'm planning to integrate it in SSH on a testserver.

It would be great if some multi-factor authentication could be integrated in cPanel/WHM.

[ffeingol]

We'd be interested in this also. DuoSecurity is another popular option.

[PlotHost]

I'm sure that multi-factor authentication will be added .. very soon.

[cpanelnick]

This can already be accomplished with the security policy system:

http://www.cpanel.net/secpolicy.pdf

We plan on making this a bit easier to implement in the future with the Pluggable Authentication System.

[java_dude]

I'd definitely like to see multi factor authentication! +1 for Yubikey!

[kennethgray]

I'm on board for simplifying the multi-factor authentication process. The way DuoSecurity mentioned by ffeingol seems to work would be ideal. It looks like it would cover authentication for the WHM/Cpanel login, but also SSH. Perhaps there could be a way to have some sort of API that allows installed software (like Wordpress or Joomla) to hook in to the authentication process as well.

Anyway, good multi-factor authentication is high on my wish list, especially now that LinkedIn proves that no password db is safe.

cpanelnick, thanks for the link to the docs on pluggable authentication, I will definitely give that a thorough read.

[Joriz]

Adding DuoSecurity as plugin to cPanel/WHM would be great.

[cPanelDavidG]

This feature request thread seems to be requesting functionality that already exists but has not been embraced by the multi-factor authentication providers nor fans thereof to build the appropriate code to integrate with their systems.

[Joriz]

I think it is to complicated and time consuming for a single (small) hosting corporation to integrate DuoSecurity into cPanel with aid of the security policy system documentation.

What would be great if this could be done by cPanel itself and/or DuoSecurity or at least by group effort.

I would like to see a on cPanel account basis two-factor authentication for cPanel, WHM, Webmail and FTP.
I think this extra step of security would be a great sales pitch for our clients who make use our servers for b2b&b2c shop webhosting.

[FrankLaszlo]

This feature request thread seems to be requesting functionality that already exists but has not been embraced by the multi-factor authentication providers nor fans thereof to build the appropriate code to integrate with their systems.

The documentation for this is non-public (I've been wanting this feature for years, and this is the first I've heard of it) and extremely limited. I'd love to code some multi-factor authentication modules for cPanel, but the documentation provide is not even close to being complete for proper implementation.

[cPanelDavidG]

The documentation for this is non-public (I've been wanting this feature for years, and this is the first I've heard of it) and extremely limited. I'd love to code some multi-factor authentication modules for cPanel, but the documentation provide is not even close to being complete for proper implementation.

We are very open to suggestions for improving this documentation, especially given that it is not terribly far from raw documentation from our development team in its present form. Feel welcome to share via a reply to this post or via PM, or you can email me at sales@cPanel.net and I'll get your suggestions to our documentation team. I know sometimes it's relatively simple things like having sample code that y'all desire and we can work to accommodate that.

For those curious about what documentation we're referencing, here it is: http://www.cpanel.net/secpolicy.pdf - which you can find listed on sdk.cPanel.net (the main development documentation page) as "Plugin Security Policy." I'll put in a request for a clearer description for this though, as I now realize it's not obvious from that page what Security Policy is for.

[kabatak]

@cPanelDavidG

http://www.cpanel.net/secpolicy.pdf appears to be 404 to me.

[Infopro]

I'll see if I can get that link fixed ASAP. Site redesign in recent days, still cleaning up some old links along the way. Thank you for your patience in advance.

[kabatak]

@Infopro looks like the PDF is back thanks.

It appears right now we can already implement a multi-factor authentication by using custom codes created by us, but to clarify, is multi-factor authentication in the road-map of the cpanel team so that it can be a default feature in future releases?