Planned for 11.36 WHM - PAM / LDAP / RADIUS Authentication (Pluggable Authentication) [case 39461]

[NathanS]

Hi Guys,

It would be really nice to have WHM utilise something like PAM (for flexibility), or some other native ability to use user databases outside /etc/shadow and /etc/passwd which are hardcoded in at the moment (PwCache.pm). A native RADIUS or LDAP client would suffice, but using PAM would probably be smarter to allow flexibility and avoid reinventing the wheel.

Without this, it prevents us from using things like RSA SecurID tokens to limit and track access centrally to WHM on multiple servers (about 20 or so at the moment).

Regards,

Nathan.
Host Networks.

[asofrank]

I also highly support this feature.

The current use of password based authentication severely limits the hosts ability to properly secure their environment. If you have several hundred servers, and several employee's that administer them, there is a lot of potential for compromised accounts due to trivial things like MIM attacks and keyloggers.

Without going deeply into the cPanel codebase, I would think that changing the existing code from reading /etc/passwd, to using PAM, would be trivial.

Unfortunately cPanel cannot keep ignoring these security concerns. Once people find that the risks of using cPanel outweigh the benefits, they are going to jump ship and find a control panel that DOES care about security.

/rant

Frank Laszlo
A Small Orange Software

[cPanelDavidG]

We are currently working on a pluggable authentication system to allow integration with whatever authentication system you want (e.g. LDAP, use of tokens etc).

The ETA on the pluggable authentication system is: <<Outdated information removed>>

[cPanelDavidG]

I just updated the title of the thread slightly so I can more easily provide updates to this thread as progress is made.

[kkargel]

We are an ISP. Our customers use LDAP authentication. It would be great if logging in to cPanel with a valid login on LDAP would autocreate an account and subdomain.

[mykkal]

APIs to make plugins for specific apps would be nice

[cPanelDavidG]

We are already working on functionality called "Pluggable Authentication" which will allow authentication against LDAP or whatever other authentication method you want to allow.

I will merge this thread with that existing feature request thread so everyone is informed about the progress of "Pluggable Authentication."

[Infopro]

Please Note: Important cPanel/WHM Version Number Designation Change

As of July 28, 2010 the cPanel/WHM version number designations have been officially changed.

Version 11.25.1 is now designated 11.28 and version 11.25.2 is now designated 11.30.

These new changes were explained in some detail recently at the July 2010 - Quarterly Road map - Webinar direct from cPanel's PodCast Studio in Houston, Texas with speakers David Grega and Mario Rodriguez.

An official press release about these changes is forthcoming and can be accessed at this link as soon as it's made available to the Forum Team:
Important cPanel/WHM Version Number Designation Change (To be updated)

This post serves to update users who are subscribed to threads (where this message is posted) looking forward to upcoming enhancements in future versions of cPanel.

[cPanelDavidG]

With the change in our procedures to have more frequent releases containing fewer projects, the ETA for Pluggable Authentication has changed. The ETA for Pluggable Authentication is now version 11.32.

[cPanelDavidG]

With the change in our procedures to have more frequent releases containing fewer projects, the ETA for Pluggable Authentication has changed. The ETA for Pluggable Authentication is now version 11.32.

Pluggable Authentication is scheduled for version 11.34

[amu495]

Hi,

I was working on rate-limiting connections made to localhost on my cPanel server because recently I observed attack coming from localhost (127.0.0.1) which was trying to log in to cPanel thousands of times a minute.

Being it a localhost I can’t block 127.0.0.1 from logging in but is there any way I can slow down the login attempts?

Didn't get much help from chkservd and cPhulkd logs.

I also tried to work with PAM module "pam_faildelay" which may slow down multiple attempts but it seems that cPanel is not using PAM authentication. Also everything don't use PAM, there are lots of ways for a system user to authenticate - ftp, sftp, cpanel, webmail, maybe more!

Any suggestion will be appreciated.

[cPanelDavidG]

As far as feature requests go, we'll support hooks into cPanel & WHM itself when we support Pluggable Authentication: http://forums.cpanel.net/f145/whm-pa...on-154665.html

Since this feature request is already being accommodated, did you want me to merge this thread into the existing thread on Pluggable Authentication or move it into cPanel and WHM Security to discuss this further?

[amu495]

Hi,

You can merge this thread to existing thread on Pluggable Authentication because I have already a thread in the cPanel and WHM Security to discuss this issue further but unfortunately didn't get any response yet.

http://forums.cpanel.net/cpanel-whm-...on-cpanel.html

Will see how it goes. Thanks

[Kent Brockman]

Hello people, any news on this request?

[cPanelDavidG]

This is one of the main features we are promoting for 11.34, so it is very much on track for version 11.34.