Securely roll out email accounts/pw to remote users

[awgerber]

Hi all,

I consider to switch to a provider who is using cPanel. On our old system I programmed in php my own email account management system.

The unique thing about it is that people we create an email account with a roll out mechanism. The system sends out an email to the client's old email account with a link to obtain his new email password. This link leads then to a encrypted page. If somebody intercepts the email on its way and clicks on that link a second click will automatically disable the account...

Is there a function in cPanel that is doing a secure roll out of a password to a client already? Or is there some "lost password" function that is secure?

On the other hand I downloaded already the xmlapi-php-class-cp_xmlapi_php.zip and had a quick glance over it. It seems powerful... but I did not see how to get the users password and how to disable the account...

Could you please give me a hint?

Thanks

[cPanelDavidG]

Hi all,

I consider to switch to a provider who is using cPanel. On our old system I programmed in php my own email account management system.

The unique thing about it is that people we create an email account with a roll out mechanism. The system sends out an email to the client's old email account with a link to obtain his new email password. This link leads then to a encrypted page. If somebody intercepts the email on its way and clicks on that link a second click will automatically disable the account...

Is there a function in cPanel that is doing a secure roll out of a password to a client already? Or is there some "lost password" function that is secure?

On the other hand I downloaded already the xmlapi-php-class-cp_xmlapi_php.zip and had a quick glance over it. It seems powerful... but I did not see how to get the users password and how to disable the account...

Could you please give me a hint?

Thanks

cPanel users are standard Unix users. As such, their passwords are hashed (not encrypted). To put it simply, hashed passwords are not retrievable, the most you can do is compare to see if a password is correct or not.

You can use the XML API to change a user's password, at which time you can probably have your script store the password. Just be sure to do this very carefully as not to create a security vulnerability on the server.

As for "disabling" a cPanel account, you can suspend an account - but that will also display a suspended page on their website when anyone visits it while the account is suspended.

If you need clarification on how to suspend an account or change an account's password via the XML API, let me know.