check/verify cPanel account credentials

[FrankLaszlo]

Is there anyway with the API to check/verify cPanel account details? I'm creating some tools for our customers, but I need to make a way for them to "login" to the tools. I had thought about using our billing database, but it makes more sense to use the cPanel login credentials.

So, is there an XML-API, API1, or API2 function to be able to check/verify a set of credentials provided for a cPanel account?

 

[FrankLaszlo]

I should probably clarify. I'm doing this in PHP, and the script DOES NOT reside on the same server as they would be logging into.

I saw the cPanel::LogMeIn() function for perl, but that doesn't really work for what I need.

 

[MattDees]

Alright, I had to bring this up with another developer to ensure that we have a sane solution for this one (btw, good question!).

What would be easiest is to make *any* xml-api call via the cpanel call against port :2083, e.g:

$ip:2083/xml-api/cpanel?cpanel_xmlapi_module=StatsBar&cpanel_xmlapi_func=stat&display=hostname

sending the user's credentials as HTTP auth, if it allows access, it's good, if not, it's bad.

Now there is one fallacy to this plan, which is that someone can hit this a few times with invalid credentials and cause hulkd on your cpanel server to lock out your server making the request.

The way around this is that if a user gets more than a certain number of invalid auths in a row, lock them out.

I would also whitelist the IP of the calling server in hulkd:

WHM -> cPHulk Brute Force Protection -> "Trusted IPs List"

(it's a tiny link, it's there though, I promise)

and whitelist your IP.

To see how the backend database for this feature works, see /usr/local/cpanel/whostmgr/docroot/cgi/cphulkdwhitelist.cgi

or

mysql cphulk db whitelist table

 

[FrankLaszlo]

I knew you'd come through Matt! I'll give this a shot in a little bit here. I was a bit dishearted that I didn't see anything in the XML-API documentation. Maybe something like this could be put in as a feature request?

As a workaround for the time being, I setup the authentication module to attempt an FTP connection to the server with the credentials, since the default cPanel account also has FTP privileges. It works, but it has its obvious drawbacks and is a bit more "hackish" than I wanted.

Again, thank you very much, I'll let you know if it works out.

 

[FrankLaszlo]

Thanks again Matt. It's working great. For anyone whose interested, heres the code:

Functions:

function objectsIntoArray($arrObjData, $arrSkipIndices = array()) {

    $arrData = array();
    if (is_object($arrObjData)) {
        $arrObjData = get_object_vars($arrObjData);
    }
    if (is_array($arrObjData)) {
        foreach ($arrObjData as $index => $value) {
            if (is_object($value) || is_array($value)) {
                $value = objectsIntoArray($value, $arrSkipIndices);
            }
            if (in_array($index, $arrSkipIndices)) {
                continue;
            }
            $arrData[$index] = $value;
        }
    }
    return $arrData;
}

function cpanel_auth($srv_ip, $username, $password) {

    $query = "https://$srv_ip:2083/xml-api/cpanel?cpanel_xmlapi_module=CustInfo&cpanel_xmlapi_func=displaycontactinfo";
    $curl = curl_init();
    curl_setopt($curl, CURLOPT_SSL_VERIFYPEER,0);
    curl_setopt($curl, CURLOPT_SSL_VERIFYHOST,0);
    curl_setopt($curl, CURLOPT_HEADER,0);
    curl_setopt($curl, CURLOPT_RETURNTRANSFER,1);
    $header[0] = "Authorization: Basic " . base64_encode($username.":".$password) . "\n\r";
    curl_setopt($curl, CURLOPT_HTTPHEADER, $header);
    curl_setopt($curl, CURLOPT_URL, $query);
    $result = @curl_exec($curl);
    if ($result == false) {
        error_log("curl_exec threw error \"" . curl_error($curl) . "\" for $query");
    }
    curl_close($curl);

    $xmlObj = simplexml_load_string($result);
    $arrResult = objectsIntoArray($xmlObj);
    return $arrResult;
}

Login Code:

$cpauth = cpanel_auth($serverip, $username, $password);
if (!$cpauth['event']['result'] == 1) {
    print "<br /><div align=\"center\"><h3>Invalid login credentials. Please try again.</h3><a href=\"index.php\">Login</a></div><br />";
    exit(1);
} else {
    session_start();
    $_SESSION['username'] = $user;
    $_SESSION['servername'] = $servername;
    $_SESSION['serverip'] = $serverip;
    <more secret code here that does cool stuff>
}