Best way to store cPanel Password

[iSofia]

Hello Everyone,
In order to enable users to change their own email passwords, the cPanel password is first required for the XMLAPI authentication stage:

$xmlapi->password_auth($cpUsername, $cpPassword)

I was wondering, since this is not entered by the user, and has to be stored somewhere accessible by the script, what would be the best and safest way to store it?

Any suggestions would be welcome.

Thank you.

 

[DavidN.]

Hello,

Could you give more details about how email users will be changing their passwords?

If you are connecting to your cPanel server as root or as the reseller who owns the account, you can use WHM API1's create_user_session, which will provide you with a temporary password and security token you can use to make calls (including password changes) as the cPanel user.

David Nielson
Integration Developer, cPanel

 

[iSofia]

Could you give more details about how email users will be changing their passwords?

Hi David; thank you for your reply. This is in reference to the following code for changing email account passwords:

//host domain:     xyz.com
//cpanel username: xyzusa
//cpanel password: locknkey
//email account:   [email protected]
//new password:    js123456

include("xmlapi.php"); 

$ip = '50.90.180.220';
$cPanel_ID = 'xyzusa';
$cPanel_pass = 'locknkey'; 

$email_account = 'john'; 
$email_domain = 'abc.com'; 
$email_newPW = 'js123456';

$xmlapi = new xmlapi($ip); 
$xmlapi->set_port (2082);
$xmlapi->password_auth($cPanel_ID, $cPanel_pass); 

$args = array('domain'=>$email_domain, 'email'=>$email_account, 'password'=>$email_newPW)); 

$xmlapi->api2_query($account, "Email", "passwdpop", $args);

The user would provide the new password through a form. But how should we store the cPanel password without it being visible or accessible?

The WHM API1 create_user_session seems promising; could you kindly assist me with some pointers please?

Thank you.

 

[iSofia]

Hello again,
So, is it safe to assume that cPanel passwords should be hard coded into the scripts themselves? No way around it?

Thank you.

 

[simonas]

Hello,

You could try using Hash method, only works for root , i believe:

Authentication Function Call Methods

Other than that there's no way. It's up to you to keep file with passwords safe..

 

[DavidN.]

Hello again,

Sorry I've been so slow to reply; I've been away at a conference, and just got back yesterday afternoon.

If your plugin runs as root or a reseller, you can use that authentication to generate a user session, and use the security token from that session to execute API calls on the user's behalf. Documentation for the call is here:

http://documentation.cpanel.net/display/SDK/WHM+API+1+-+create_user_session

Please let me know if you will need anything else.

David Nielson
Integration Developer, cPanel