The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

check/verify cPanel account credentials

Discussion in 'cPanel Developers' started by FrankLaszlo, May 14, 2010.

  1. FrankLaszlo

    FrankLaszlo Active Member

    Joined:
    Dec 19, 2008
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Is there anyway with the API to check/verify cPanel account details? I'm creating some tools for our customers, but I need to make a way for them to "login" to the tools. I had thought about using our billing database, but it makes more sense to use the cPanel login credentials.

    So, is there an XML-API, API1, or API2 function to be able to check/verify a set of credentials provided for a cPanel account?
     
  2. FrankLaszlo

    FrankLaszlo Active Member

    Joined:
    Dec 19, 2008
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    I should probably clarify. I'm doing this in PHP, and the script DOES NOT reside on the same server as they would be logging into.

    I saw the cPanel::LogMeIn() function for perl, but that doesn't really work for what I need.
     
  3. MattDees

    MattDees cPanel Product Owner
    Staff Member

    Joined:
    Apr 29, 2005
    Messages:
    417
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Alright, I had to bring this up with another developer to ensure that we have a sane solution for this one (btw, good question!).

    What would be easiest is to make *any* xml-api call via the cpanel call against port :2083, e.g:

    $ip:2083/xml-api/cpanel?cpanel_xmlapi_module=StatsBar&cpanel_xmlapi_func=stat&display=hostname

    sending the user's credentials as HTTP auth, if it allows access, it's good, if not, it's bad.

    Now there is one fallacy to this plan, which is that someone can hit this a few times with invalid credentials and cause hulkd on your cpanel server to lock out your server making the request.

    The way around this is that if a user gets more than a certain number of invalid auths in a row, lock them out.

    I would also whitelist the IP of the calling server in hulkd:

    WHM -> cPHulk Brute Force Protection -> "Trusted IPs List"

    (it's a tiny link, it's there though, I promise)

    and whitelist your IP.

    To see how the backend database for this feature works, see /usr/local/cpanel/whostmgr/docroot/cgi/cphulkdwhitelist.cgi

    or

    mysql cphulk db whitelist table
     
  4. FrankLaszlo

    FrankLaszlo Active Member

    Joined:
    Dec 19, 2008
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    I knew you'd come through Matt! I'll give this a shot in a little bit here. I was a bit dishearted that I didn't see anything in the XML-API documentation. Maybe something like this could be put in as a feature request?

    As a workaround for the time being, I setup the authentication module to attempt an FTP connection to the server with the credentials, since the default cPanel account also has FTP privileges. It works, but it has its obvious drawbacks and is a bit more "hackish" than I wanted.

    Again, thank you very much, I'll let you know if it works out.
     
  5. FrankLaszlo

    FrankLaszlo Active Member

    Joined:
    Dec 19, 2008
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Thanks again Matt. It's working great. For anyone whose interested, heres the code:

    Functions:
    Code:
    function objectsIntoArray($arrObjData, $arrSkipIndices = array()) {
    
        $arrData = array();
        if (is_object($arrObjData)) {
            $arrObjData = get_object_vars($arrObjData);
        }
        if (is_array($arrObjData)) {
            foreach ($arrObjData as $index => $value) {
                if (is_object($value) || is_array($value)) {
                    $value = objectsIntoArray($value, $arrSkipIndices);
                }
                if (in_array($index, $arrSkipIndices)) {
                    continue;
                }
                $arrData[$index] = $value;
            }
        }
        return $arrData;
    }
    
    function cpanel_auth($srv_ip, $username, $password) {
    
        $query = "https://$srv_ip:2083/xml-api/cpanel?cpanel_xmlapi_module=CustInfo&cpanel_xmlapi_func=displaycontactinfo";
        $curl = curl_init();
        curl_setopt($curl, CURLOPT_SSL_VERIFYPEER,0);
        curl_setopt($curl, CURLOPT_SSL_VERIFYHOST,0);
        curl_setopt($curl, CURLOPT_HEADER,0);
        curl_setopt($curl, CURLOPT_RETURNTRANSFER,1);
        $header[0] = "Authorization: Basic " . base64_encode($username.":".$password) . "\n\r";
        curl_setopt($curl, CURLOPT_HTTPHEADER, $header);
        curl_setopt($curl, CURLOPT_URL, $query);
        $result = @curl_exec($curl);
        if ($result == false) {
            error_log("curl_exec threw error \"" . curl_error($curl) . "\" for $query");
        }
        curl_close($curl);
    
        $xmlObj = simplexml_load_string($result);
        $arrResult = objectsIntoArray($xmlObj);
        return $arrResult;
    }
    
    Login Code:
    Code:
    $cpauth = cpanel_auth($serverip, $username, $password);
    if (!$cpauth['event']['result'] == 1) {
        print "<br /><div align=\"center\"><h3>Invalid login credentials. Please try again.</h3><a href=\"index.php\">Login</a></div><br />";
        exit(1);
    } else {
        session_start();
        $_SESSION['username'] = $user;
        $_SESSION['servername'] = $servername;
        $_SESSION['serverip'] = $serverip;
        <more secret code here that does cool stuff>
    }
    
     
Loading...

Share This Page