cPanel API Password & Hash Authentication

PK-Host

Registered
Jul 28, 2012
4
0
1
cPanel Access Level
Root Administrator
Hi,

I am attempting to authenticate into a cPanel account with its owners (Reseller Access Hash) key.
I have so far got it working so that the api can authenticate with the reseller's password into any of their accounts as per the setting in root WHM. However I'd prefer to use the access hash if possible.

Is it possible to authenticate into cPanel accounts using its owners hash key?
So far I've got,

PHP:
$authstr = $array['cpuser'] . ":" . $array['cppass'];
$pass = base64_encode($authstr);
if(empty($array['cppass'])){
	fputs($socket, "Authorization: WHM " . $array['cpuser'] . ":" . preg_replace("'(\r|\n)'","",$array['cphash']) . "\r\n");
}else{
	fputs($socket, "Authorization:Basic " . $pass . "\r\n");
}
However when it trys authenticate with the access hash I get

Code:
HTTP/1.1 403 Forbidden Access denied
Connection: close
Server: cpsrvd/11.32.3.21
Content-type: text/plain

Access denied
Any help appreciated.
 

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,607
79
458
cPanel Access Level
Root Administrator
To use impersonation you must use the password. We don't support impersonation using any other mechanism at this time.
 

PK-Host

Registered
Jul 28, 2012
4
0
1
cPanel Access Level
Root Administrator
To use impersonation you must use the password. We don't support impersonation using any other mechanism at this time.
Ok, Can you confirm that there is no way of passing the resellers password already encrypted through the API? As if not I would have to store the passwords in a database which would be encrypted with openssl but it would inevitably still be able to be reversed.
 

geck

Member
Aug 9, 2012
8
0
1
Houston, TX
cPanel Access Level
Root Administrator
Ok, Can you confirm that there is no way of passing the resellers password already encrypted through the API? As if not I would have to store the passwords in a database which would be encrypted with openssl but it would inevitably still be able to be reversed.
No, there is not.

However you can run API calls against a user while authenticated as the reseller on port 2087.


f.ex.

json-api/cpanel?
cpanel_jsonapi_apiversion=2&
cpanel_jsonapi_user=$username&
cpanel_jsonapi_module=Email&
cpanel_jsonapi_func=listpopswithdisk

will get you a listing of a user's email accounts.