CLI with 2FA enabled

[Flaio]

My searches are coming up with nothing clear about this.

I need to use cpanel CLI from a script on the server that is fine without 2FA enabled in cpanel but when its enabled (cpanel > 2fa > enable) then the CLI script on the server doesn't seem to work anymore.

Is there anything that can be added to curl_setopt() or can tfa_validated_securitytoken be used to do this? Is it possibly only some other way or not possible at all?

It would be a shame if additional security broke CLI as then what would be the point as people won't use additional security.

If anyone has an answer, even a guess is appreciated.

 

[Flaio]

Its a bit early, but after more searching, if feels to me that the cpanel devs have not implemented or are unable to understand how to do this in a way that maintains the improved security by way of automated script running on the very server its connecting to.

Seems to me to be something needing improvement and I am forced to either not run the script and do things manually or downgrade login security. The latter of which is never acceptable.

Edit - The tfa_validated_securitytoken is mentioned in the following link but looks like auto script will still crash and burn with 2fa enabled and no apparent way to do anything automatic like this with 2fa enabled How to Log in to Your Server or Account - cPanel Knowledge Base - cPanel Documentation

Additional edit - Cpanel could implement a function that allows stuff to be automated in all cases thereby not needing the script to do this. I will look further into Cpanel to see if it can do this here.

 

[cPanelLauren]

Have you had an opportunity to look at the following: Guide to API Authentication - Two-Factor Authentication - Developer Documentation - cPanel Documentation

 

[Flaio]

Have you had an opportunity to look at the following: Guide to API Authentication - Two-Factor Authentication - Developer Documentation - cPanel Documentation

Thanks, I appreciate that very much. Had noticed that before but it appears to require the 2FA OTP to be used same as logging into cPanel manually.

Actually, found that uapi CLI command does work for me (just had to remove the --user specifier for non-root use). Almost have that working right now and probably better than trying to find a way to around 2FA which surely is a dead end lol.

At least something works

 

[Flaio]

Update - Yes, uapi CLI did work out quite nicely plus 2FA can stay enabled now. Took a lot of searches though. A whole day of searching for stuff

 

[cPanelLauren]

Hi @Flaio

I'm really happy to hear that! Thanks for letting us know!

 

[rinkleton]

Update - Yes, uapi CLI did work out quite nicely plus 2FA can stay enabled now. Took a lot of searches though. A whole day of searching for stuff

I'd like some clarification on this. I'm assuming this worked for you because it sounds like the cPanel account has 2fa enabled, but you either authorized with the root account (which never has 2fa)... or with a WHM account that does not have 2fa enabled? So this would mean that if both the cPanel and WHM accounts have 2fa enabled then the API call MUST send a OTP?

It seems like 2fa does not apply to the whm and cpanel apis, but does apply to the uapi?

 

[rinkleton]

Also. with the UAPI, the only way I got it to work right is if I used the cpanel account's username in the auth but the root or whm reseller's password (I don't remember which). I remember it being kind of funky. Ultimately I want to auth against a higher credential set, but act as the lower level user (which I may not have their credentials including 2fa). If the user has 2fa enabled, it looks like we must pass their OTP. We don't have their key, so we can't produce the OTP. I've had to disable 2fa for all cpanel accounts because of this.

I would argue that 2fa in an api setting defeats the purpose because both factors need to be present in the same place at the same time. This creates 1 point of failure.