The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

API - authenticating against existing user passwords

Discussion in 'General Discussion' started by emalbum, May 15, 2007.

  1. emalbum

    emalbum Member

    Joined:
    Jun 5, 2004
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    I'm sorry if this has been asked before...

    I am writing a billing manager in PHP and I want to allow my users to log into it using their existing username/password.

    Where are the cPanel passwords stored and is it possible to validate against them through PHP?
     
  2. stoo2000

    stoo2000 Active Member

    Joined:
    Jul 26, 2003
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Leicestershire, UK
    cPanel Access Level:
    Root Administrator
    This would make an absolute great feature, Might be worth sending it to the XML API mailing list, even if it was just a function that came back true or false it would save disclosing encyption methods/salts...
     
  3. DaveUsedToWorkHere

    DaveUsedToWorkHere Well-Known Member

    Joined:
    Dec 28, 2001
    Messages:
    689
    Likes Received:
    1
    Trophy Points:
    18
    This can be done with /scripts/postwwwacct. It needs to be present and executable to function. This works in the new builds CURRENT, EDGE. More info will be on the doucmentation part of our site soon.


    This script will be run after an account is created. Within this script, data from /scripts/wwwacct can be accessed so that it can be passed to something such as a billing solution, custom application, or script.

    The following data can be accessed:

    user (string)
    User name of the account. Ex: user

    domain (string)
    Domain name. Ex: domain.tld

    plan (string)
    Package to use for account creation. Ex: reseller_gold

    quota (integer)
    Disk space quota in MB. (0-999999, 0 is unlimited)

    pass (string)
    Password to access cPanel. Ex: p@ss!w0rd$123

    useip (string)
    Whether or not the domain has a dedicated IP address. (y = Yes, n = No)

    hascgi (string)
    Whether or not the domain has cgi access. (y = Yes, n = No)

    installfp (string)
    Whether or not the domain has FrontPage extensions installed. (y = Yes, n = No)

    hasshell (string)
    Whether or not the domain has shell / ssh access. (y = Yes, n = No)

    contactemail (string)
    Contact email address for the account. Ex: user@otherdomain.tld

    cpmod (string)
    cPanel theme name. Ex: x3

    maxftp (string)
    Maximum number of FTP accounts the user can create. (0-999999 | unlimited, null | 0 is unlimited)

    maxsql (string)
    Maximum number of SQL databases the user can create. (0-999999 | unlimited, null | 0 is unlimited)

    maxpop (string)
    Maximum number of email accounts the user can create. (0-999999 | unlimited, null | 0 is unlimited)

    maxlst (string)
    Maximum number of mailing lists the user can create. (0-999999 | unlimited, null | 0 is unlimited)

    maxsub (string)
    Maximum number of subdomains the user can create. (0-999999 | unlimited, null | 0 is unlimited)

    maxpark (string)
    Maximum number of parked domains the user can create. (0-999999 | unlimited, null | 0 is unlimited)

    maxaddon (string)
    Maximum number of addon domains the user can create. (0-999999 | unlimited, null | 0 is unlimited)

    bwlimit (string)
    Bandiwdth limit in MB. (0-999999, 0 is unlimited)

    useregns (boolean)
    Use the registered nameservers for the domain instead of the ones configured on the server. (1 = Yes, 0 = No)

    owner (string)
    Owner of the account.


    Accessing the data in PHP:

    Code:
    ‹?php
    
    $opts = array();
    $argv0 = array_shift($argv);
    while(count($argv)) {
    $key = array_shift($argv);
    $value = array_shift($argv);
    $opts[$key] = $value;
    }
    ?›
    $user = $opts['user'];
    $domain = $opts['domain'];
    
    Accessing the data in Perl:

    Code:
    my %OPTS = @ARGV;
    my $user = $opts{'user'};
    my $domain = $opts{'domain'};
     
  4. stoo2000

    stoo2000 Active Member

    Joined:
    Jul 26, 2003
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Leicestershire, UK
    cPanel Access Level:
    Root Administrator
    How would this work if the user decided to change their password in cPanel ?

    Stuart
     
  5. myusername

    myusername Well-Known Member
    PartnerNOC

    Joined:
    Mar 6, 2003
    Messages:
    691
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    chown -R us.*yourbase*
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    I guess the question is if the user changes their password in cPanel after acct creation is the password still able to be accessed after the change has been made? i would assume its accessable but it would need decrypted I would think?
     
  6. newphp

    newphp Member

    Joined:
    Dec 27, 2006
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Chongqing,China
    If your system is Redhat AS4 or Centos 4.4 etc. the cPanel user passwords is local in /etc/shadow,and been encoded, it can't be accessed.
     
  7. DaveUsedToWorkHere

    DaveUsedToWorkHere Well-Known Member

    Joined:
    Dec 28, 2001
    Messages:
    689
    Likes Received:
    1
    Trophy Points:
    18
    Currently there is no hook for realchpass. I've put in a request for one to be added. Until then, you can edit /scripts/realchpass to have it output the password to your billing system. Until a hook is added, your changes will be overwritten by updates.
     
  8. emalbum

    emalbum Member

    Joined:
    Jun 5, 2004
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    I'll look into the /scripts/postwwwacct more, but in the meantime, I've devised the following solution:

    - A script that parses the /etc/shadow file and writes out the username:encPassword to a file that is outside of the web root and can be accessed from a non-root user. This is a scheduled process.

    - Use PHP's crypt function to compare the entered password with the one in my new file (from /etc/shadow)

    So far it works as I need it to...
     
  9. DaveUsedToWorkHere

    DaveUsedToWorkHere Well-Known Member

    Joined:
    Dec 28, 2001
    Messages:
    689
    Likes Received:
    1
    Trophy Points:
    18
    Update:

    please see:

    /usr/local/cpanel/hooks/README

    and specifically

    /usr/local/cpanel/hooks/passwd/change_password.example
     
  10. protocol

    protocol Well-Known Member
    PartnerNOC

    Joined:
    Apr 13, 2004
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    I notice this does not work if the user resets via the forgotten password feature. Can this be added to fire this hook too?
     
  11. dom974

    dom974 Active Member

    Joined:
    Jun 24, 2007
    Messages:
    41
    Likes Received:
    0
    Trophy Points:
    6
    Hello all,

    I tried the change_password example as stated in the readme but it does not work.

    Can someone explain to me how to use this hook ?

    Thanks

    Dominique
     
  12. DaveUsedToWorkHere

    DaveUsedToWorkHere Well-Known Member

    Joined:
    Dec 28, 2001
    Messages:
    689
    Likes Received:
    1
    Trophy Points:
    18
    The hook is a piece of code that executes based on a certain action, in this case upon the change of a user's password. You'll need to add code that makes it do whatever you wish to accomplish. Since I don't yet know what that is, I can't provide more assistance yet.
     
  13. dom974

    dom974 Active Member

    Joined:
    Jun 24, 2007
    Messages:
    41
    Likes Received:
    0
    Trophy Points:
    6
    is this change_password automatically triggered after using xml-api passwd function ?

    Normally after changing password, I should see this :

    Code:
    print "Your password was changed\n";
    print "OLDPASS: $oldpass\n";
    print "NEWPASS: $newpass\n";
    print "ERRORS: $errors\n";
    But it doesn't work ...

    Dominique
     
  14. DaveUsedToWorkHere

    DaveUsedToWorkHere Well-Known Member

    Joined:
    Dec 28, 2001
    Messages:
    689
    Likes Received:
    1
    Trophy Points:
    18
    Just ot make sure I'm on the same page. With the hook in place, you see the code executed after changing a password through cPanel or WHM but not while using the XML API?
     
  15. myusername

    myusername Well-Known Member
    PartnerNOC

    Joined:
    Mar 6, 2003
    Messages:
    691
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    chown -R us.*yourbase*
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Nice Dave! Glad to see you added the hook in this one, thanks!

    Will try it out soon and see if we have any luck.

    Matt
     
  16. dom974

    dom974 Active Member

    Joined:
    Jun 24, 2007
    Messages:
    41
    Likes Received:
    0
    Trophy Points:
    6
    Well, the hook is working if the user is changing his password under Cpanel but not under WHM ("Password modification") or when using the xml-api passwd

    Dominique
     
  17. myusername

    myusername Well-Known Member
    PartnerNOC

    Joined:
    Mar 6, 2003
    Messages:
    691
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    chown -R us.*yourbase*
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    I havent had a chance to check this but I'd think the XML-API would be the most important reason to have the hook.

    Do we need to specify a flag in the API call to execute the hook? Can we specify the script as a variable in the API call? Meaning, execute "post-change-passwd" or "post-change-password2" on the fly instead based on the parameters passed into the script instead of a hardcoded hook?
     
  18. freedman

    freedman Well-Known Member

    Joined:
    Feb 13, 2005
    Messages:
    312
    Likes Received:
    1
    Trophy Points:
    18
    if you mean, against their system/account password, then it's been answered, if you mean, you want their hosts accounts to be able to login (i.e' using their email/password like in webmail), that's stored in /home/ACCOUNT/etc/DOMAIN/{passwd,shadow}
     
  19. dom974

    dom974 Active Member

    Joined:
    Jun 24, 2007
    Messages:
    41
    Likes Received:
    0
    Trophy Points:
    6
    Since the new 11.8.0 update I can't even have the hook working (not with WHM, not with CPANEL)
    btw do you have the documentation for xml api passwd ?

    thank you

    Dominique
     
Loading...

Share This Page