Planned for 11.36 WHM - PAM / LDAP / RADIUS Authentication (Pluggable Authentication) [case 39461]

[dlemkin]

is there a timeline for 11.34? will LDAP be production ready at that time?

[cPanelDavidG]

Pluggable Authentication will allow you to build a plugin to accommodate LDAP. We do not intend (yet) to build a LDAP plugin ourselves, but given the focus on LDAP specifically, once this functionality is available I'll poke our integration guys to create an entry on the Integration Blog about how to do that.

Version 11.34 will come after 11.32 which is the release after our present release of 11.30. We're aiming to get each major release out every few months, meaning we should be coming up on 11.32 soon.

[cPanelDavidG]

UPDATE: We now anticipate that Pluggable Authentication will not be completed in time for version 11.34. We are now targeting Pluggable Authentication for version 11.36.

[Kent Brockman]

Damn, 11.36 sounds like 2013..

[myusername]

This is bad news.

I was hoping for 11.32 and then 11.34 as the thread said it would be coming in these versions.

We really need this as 2 factor authentication is a requirement for PCI compliance and this would simplify things for people who want to be compliant with cPanel.

Can you try to put a fire under this so that it gets at least beta functionality in 11.34 and really is released in 11.36? We'd much prefer to have this over a pretty new phpmyadmin version.

[Infopro]

We'd much prefer to have this over a pretty new phpmyadmin version.

I'm sorry, but thats just cold, man. cPanel doesn't make phpMyAdmin, its 3rd party.

[myusername]

cPanel doesn't make phpMyAdmin, its 3rd party.

I don't see your point. Does PHPMyAdmin work magically with cPanel? No, they spend time integrating it and removing some functionality so that it works with cPanel.

My point is instead of spending resources integrating a new version of something that works perfectly fine already, how about taking care of LDAP and PAM problems which people have been asking for for years now. Even this specific thread was started in Jan 2009 and it keeps getting pushed back!

Its getting frustrating telling users "oh, yeah in a few months" then those few months go by and we say "oh, yeah well it got pushed back again."

If the current estimate of what build it will appear in means anything (which so far, they don't) we are not going to see these functions until a very minimum of Jan 2012. That is 3 years...

Devices and software that require these functions are increasingly mandated now by many organizations and we loose business and cPanel looses licenses because it's not supported.

[cPanelDavidG]

Just a head's up, the bulk of IPv6 stuff is currently slated for 11.34, and there's significantly more people demanding that functionality than this functionality (both of which are substantive architectural modifications). While I am not privy to the internal priorities of our development team, I think this is a more likely explanation than accommodating a new version of phpMyAdmin as proposed above.

[myusername]

You probably right. Sorry for being sarcastic. Do you think 11.36 is a realistic target this time? We might be able to salvage some business if its realistically on the horizon. I know you don't know everything about what dev is doing but perhaps you can prod someone and see if it is still a priority as i might be able to salvage some customers instead of moving them off to a different platform.

[cndg]

Please provide hooks in handle_form_login so 2-factor authentication devices can extend this functionality.

This would require about 5 lines of perl in total.

I'm willing to provide those lines, along with a sample 2-factor implimentation demo.

Please contact me for extra info.

[DGermancp]

Can you post the additional details here.

[cndg]

Hi - sure.

Most Two-factor authentication devices/methods function by layering an additional step during the login procedure. For example - after the username/password has been entered, a one-time-PIN needs to by typed from an LCD keyfob token, or an SMS code needs to be supplied, or a password needs to be looked up & entered from a PAN card, or a unique photo/image needs to be verified using a smartphone app, or biometric data like a fingerprint scan needs to be authenticated, and so forth.

All of these different things will be made possible if the cPanel /login/ subroutine, named "handle_form_login" contained a "hook" (similar to how their existing password-change subroutine already contains a "hook").

Specifically - when an incoming request to verify a username/password arrives, the hook needs to call an external "twofactor" helper. This helper takes care of the two-factor functionality, and returns to the original /login/ routine a simple "yes" or "no" response, indicating whether or not the login should proceed, or fail.

The most basic code needed for this would be:-

This at the top of cpsrvd

Code:

use twofactor;

And this at the start of sub handle_form_login

Code:

@_=eval(&twofactor(@_));

The above would give the two-factor implementation all the access it needs to successfully accomplish the authentication, and provide the result to the /login/ caller (if the 2-factor auth fails, the called &twofactor() sub will "blank" the supplied password, which will then cause the subsequent /login/ code to refuse the login).

In addition to this being a "good idea" (improving security for all cPanel users who might wish to activate 2-factor on their logins), it also allows them to be compliant with the law (eg: FFIEC in USA), all while providing new revenue opportunities for cPanel itself, datacenters, and resellers alike.

Not to mention - this would be a huge improvement in security over any cPanel competing products - boasts like "Strongest security of any hosting solution" would make for an be entirely legitimate and honest marketing pitch.

Chris.

[cPanelDavidG]

I am merging this thread into our existing discussion about a pluggable authentication system.

[cndg]

Thanks for the merge - good idea.

Reading back over the other peoples comments, and your difficulty with a rapid implimentation, might I suggest that providing the "hook" mechanism I mention would be a very fast and easy way to resolve everything? This makes it simple for 2-factor providers to roll out their solutions, for the Pluggable Authentication people to impliment their ideas, for other people like OpenID or Google-Auth or whatever to provide their solutions, biometrics, smartcards, PKI, etc etc - all supported (or supportable) with little more than a few lines of code needed from you guys to enable it all.

I'll even volunteer to provide a sample OpenID solution, and also a sample 2-factor token-device one, gratis.

[adam.datascribe]

This seems like a great idea, be great with Google Authenticator