API - authenticating against existing user passwords

emalbum

Member
Jun 5, 2004
12
0
151
I'm sorry if this has been asked before...

I am writing a billing manager in PHP and I want to allow my users to log into it using their existing username/password.

Where are the cPanel passwords stored and is it possible to validate against them through PHP?
 

stoo2000

Active Member
Jul 26, 2003
43
0
156
Leicestershire, UK
cPanel Access Level
Root Administrator
This would make an absolute great feature, Might be worth sending it to the XML API mailing list, even if it was just a function that came back true or false it would save disclosing encyption methods/salts...
 

DaveUsedToWorkHere

Well-Known Member
Dec 28, 2001
687
1
318
This can be done with /scripts/postwwwacct. It needs to be present and executable to function. This works in the new builds CURRENT, EDGE. More info will be on the doucmentation part of our site soon.


This script will be run after an account is created. Within this script, data from /scripts/wwwacct can be accessed so that it can be passed to something such as a billing solution, custom application, or script.

The following data can be accessed:

user (string)
User name of the account. Ex: user

domain (string)
Domain name. Ex: domain.tld

plan (string)
Package to use for account creation. Ex: reseller_gold

quota (integer)
Disk space quota in MB. (0-999999, 0 is unlimited)

pass (string)
Password to access cPanel. Ex: [email protected]!w0rd$123

useip (string)
Whether or not the domain has a dedicated IP address. (y = Yes, n = No)

hascgi (string)
Whether or not the domain has cgi access. (y = Yes, n = No)

installfp (string)
Whether or not the domain has FrontPage extensions installed. (y = Yes, n = No)

hasshell (string)
Whether or not the domain has shell / ssh access. (y = Yes, n = No)

contactemail (string)
Contact email address for the account. Ex: [email protected]

cpmod (string)
cPanel theme name. Ex: x3

maxftp (string)
Maximum number of FTP accounts the user can create. (0-999999 | unlimited, null | 0 is unlimited)

maxsql (string)
Maximum number of SQL databases the user can create. (0-999999 | unlimited, null | 0 is unlimited)

maxpop (string)
Maximum number of email accounts the user can create. (0-999999 | unlimited, null | 0 is unlimited)

maxlst (string)
Maximum number of mailing lists the user can create. (0-999999 | unlimited, null | 0 is unlimited)

maxsub (string)
Maximum number of subdomains the user can create. (0-999999 | unlimited, null | 0 is unlimited)

maxpark (string)
Maximum number of parked domains the user can create. (0-999999 | unlimited, null | 0 is unlimited)

maxaddon (string)
Maximum number of addon domains the user can create. (0-999999 | unlimited, null | 0 is unlimited)

bwlimit (string)
Bandiwdth limit in MB. (0-999999, 0 is unlimited)

useregns (boolean)
Use the registered nameservers for the domain instead of the ones configured on the server. (1 = Yes, 0 = No)

owner (string)
Owner of the account.


Accessing the data in PHP:

Code:
‹?php

$opts = array();
$argv0 = array_shift($argv);
while(count($argv)) {
$key = array_shift($argv);
$value = array_shift($argv);
$opts[$key] = $value;
}
?›
$user = $opts['user'];
$domain = $opts['domain'];
Accessing the data in Perl:

Code:
my %OPTS = @ARGV;
my $user = $opts{'user'};
my $domain = $opts{'domain'};
 

myusername

Well-Known Member
PartnerNOC
Mar 6, 2003
693
1
168
chown -R us.*yourbase*
cPanel Access Level
DataCenter Provider
Twitter
I guess the question is if the user changes their password in cPanel after acct creation is the password still able to be accessed after the change has been made? i would assume its accessable but it would need decrypted I would think?
 

newphp

Member
Dec 27, 2006
11
0
151
Chongqing,China
If your system is Redhat AS4 or Centos 4.4 etc. the cPanel user passwords is local in /etc/shadow,and been encoded, it can't be accessed.
 

DaveUsedToWorkHere

Well-Known Member
Dec 28, 2001
687
1
318
Currently there is no hook for realchpass. I've put in a request for one to be added. Until then, you can edit /scripts/realchpass to have it output the password to your billing system. Until a hook is added, your changes will be overwritten by updates.
 

emalbum

Member
Jun 5, 2004
12
0
151
I'll look into the /scripts/postwwwacct more, but in the meantime, I've devised the following solution:

- A script that parses the /etc/shadow file and writes out the username:encPassword to a file that is outside of the web root and can be accessed from a non-root user. This is a scheduled process.

- Use PHP's crypt function to compare the entered password with the one in my new file (from /etc/shadow)

So far it works as I need it to...
 

DaveUsedToWorkHere

Well-Known Member
Dec 28, 2001
687
1
318
Update:

please see:

/usr/local/cpanel/hooks/README

and specifically

/usr/local/cpanel/hooks/passwd/change_password.example
 

protocol

Well-Known Member
PartnerNOC
Apr 13, 2004
90
0
156
I notice this does not work if the user resets via the forgotten password feature. Can this be added to fire this hook too?
 

dom974

Active Member
Jun 24, 2007
41
0
56
Hello all,

I tried the change_password example as stated in the readme but it does not work.

Can someone explain to me how to use this hook ?

Thanks

Dominique
 

DaveUsedToWorkHere

Well-Known Member
Dec 28, 2001
687
1
318
Can someone explain to me how to use this hook ?
The hook is a piece of code that executes based on a certain action, in this case upon the change of a user's password. You'll need to add code that makes it do whatever you wish to accomplish. Since I don't yet know what that is, I can't provide more assistance yet.
 

dom974

Active Member
Jun 24, 2007
41
0
56
is this change_password automatically triggered after using xml-api passwd function ?

Normally after changing password, I should see this :

Code:
print "Your password was changed\n";
print "OLDPASS: $oldpass\n";
print "NEWPASS: $newpass\n";
print "ERRORS: $errors\n";
But it doesn't work ...

Dominique
 

DaveUsedToWorkHere

Well-Known Member
Dec 28, 2001
687
1
318
is this change_password automatically triggered after using xml-api passwd function ?

Normally after changing password, I should see this :

Code:
print "Your password was changed\n";
print "OLDPASS: $oldpass\n";
print "NEWPASS: $newpass\n";
print "ERRORS: $errors\n";
But it doesn't work ...

Dominique
Just ot make sure I'm on the same page. With the hook in place, you see the code executed after changing a password through cPanel or WHM but not while using the XML API?
 

dom974

Active Member
Jun 24, 2007
41
0
56
Just ot make sure I'm on the same page. With the hook in place, you see the code executed after changing a password through cPanel or WHM but not while using the XML API?
Well, the hook is working if the user is changing his password under Cpanel but not under WHM ("Password modification") or when using the xml-api passwd

Dominique
 

myusername

Well-Known Member
PartnerNOC
Mar 6, 2003
693
1
168
chown -R us.*yourbase*
cPanel Access Level
DataCenter Provider
Twitter
I havent had a chance to check this but I'd think the XML-API would be the most important reason to have the hook.

Do we need to specify a flag in the API call to execute the hook? Can we specify the script as a variable in the API call? Meaning, execute "post-change-passwd" or "post-change-password2" on the fly instead based on the parameters passed into the script instead of a hardcoded hook?
 

freedman

Well-Known Member
Feb 13, 2005
314
5
168
I'm sorry if this has been asked before...

I am writing a billing manager in PHP and I want to allow my users to log into it using their existing username/password.

Where are the cPanel passwords stored and is it possible to validate against them through PHP?
if you mean, against their system/account password, then it's been answered, if you mean, you want their hosts accounts to be able to login (i.e' using their email/password like in webmail), that's stored in /home/ACCOUNT/etc/DOMAIN/{passwd,shadow}
 

dom974

Active Member
Jun 24, 2007
41
0
56
Just ot make sure I'm on the same page. With the hook in place, you see the code executed after changing a password through cPanel or WHM but not while using the XML API?
Since the new 11.8.0 update I can't even have the hook working (not with WHM, not with CPANEL)
btw do you have the documentation for xml api passwd ?

thank you

Dominique