SOLVED Disable user login with passwords - SSO only?

A

aUT

Registered
Dec 30, 2019
4
2
3
UK
cPanel Access Level
Root Administrator
I would like to disable the ability for a user to sign in to their cPanel account using a username and password using the URL https://example.com:2083

All our users log in using WHMCS, then click through to cPanel, (validated though the API token that links WHM to our install of WHMCS) so there is no need to a separate login for cpanel, so I'd rather close this way of accessing the server.

Does anyone know how to disable logins to cpanel using the username and password, while still allowing logins using the API token?

Thanks :)
 
  • Like
Reactions: martin MHC
cPanelHB

cPanelHB

Technical Analyst
Staff member
Sep 6, 2018
42
7
83
Houston
cPanel Access Level
Root Administrator
Hello,

You can disable the password, which will prevent the cPanel login page but still allow token or key-based logins.

If you have root command line access, you can use the following:

passwd -l cpanelusername

You will probably also need to disable password resets for cPanel accounts ( WHM » Tweak Settings » "Reset Password for cPanel accounts" )

Does that work for your purposes?
 
A

aUT

Registered
Dec 30, 2019
4
2
3
UK
cPanel Access Level
Root Administrator
Hi @cPanelHB

That gets me some of the way there.... While it successfully disables password access without blocking token/API access, if I run that code on a user, the user shows as suspended in WHM, which I suspect may lead to suspension/unsuspension issues in WHMCS. Is there a way to get around this and prevent the user showing as suspended while still having the password locked?

I assume it may require modifying how WHM determines if a user is suspended?
 
cPanelLauren

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,266
1,300
363
Houston
Hi @aUT

You're correct, I did confirm that this does, in fact, suspend the account. Account suspension uses the same method to disable the password on the account which wouldn't be a viable solution in this case. There really isn't a native way to do this in cPanel, but I do think it's worthy of a feature request. I'd suggest going that route and adding the link to the thread once it's complete.
 
A

aUT

Registered
Dec 30, 2019
4
2
3
UK
cPanel Access Level
Root Administrator
@cPanelLauren, it doesn't actually suspend the account, the account will still be accessible and all services appear to work, however WHM will view it as suspended. I suspect that WHM uses the lock status as a shortcut to see if an account is suspended, which is why locking an account causes it to show as suspended.

I have however possibly got another solution.

Locking the account prepends "!!" to the user's encrypted password in the /etc/shadow account, meaning that no password will ever match the hash. It looks like it's also common practise to set the /etc/shadow password entry with a "*" to render it not possible to log in as that user with a password.

I cannot see any negative repercussions to this for WHM, however it would be good to know if there is anything I'm missing! Any thoughts?
 
cPanelLauren

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,266
1,300
363
Houston
aUT said:
@cPanelLauren, it doesn't actually suspend the account, the account will still be accessible and all services appear to work, however WHM will view it as suspended. I suspect that WHM uses the lock status as a shortcut to see if an account is suspended, which is why locking an account causes it to show as suspended.
Click to expand...
I am aware, but having it appear suspended, with the unknown of what else it's affecting is enough to make it unviable in my opinion.

aUT said:
I have however possibly got another solution.

Locking the account prepends "!!" to the user's encrypted password in the /etc/shadow account, meaning that no password will ever match the hash. It looks like it's also common practise to set the /etc/shadow password entry with a "*" to render it not possible to log in as that user with a password.

I cannot see any negative repercussions to this for WHM, however it would be good to know if there is anything I'm missing! Any thoughts?
Click to expand...
prepending the password entry with a * will inhibit logins and won't show the user as suspended in WHM.

Prepending the password entry with a !! is exactly the same thing that passwd -l $user does. So this will show as suspended in WHM.

Both of these allow for password resets. So it is potentially possible to reset the password and log in with the new one.

You can disable password resets by going to WHM>>Service Configuration>>Tweak Settings -> Reset Password for cPanel accounts and toggling that to off. Keep in mind this only changes the ability to reset the password via email, password resets initiated through UAPI or WHM will replace the entry in /etc/shadow and allow for password logins once more
 
  • Like
Reactions: martin MHC
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
C Disable xmlrpc per user using whm Security 1
M SOLVED mod_userdir needs to be disabled if running PHP-FPM? Security 2
R how to disable email user change password option after login Security 1
postcd Receiving SSH login alert emails for user that has shell access disabled Security 1
psrch WHM > Tweak Settings > Disable login with root or reseller password into the users' c Security 3
Similar threads
Disable xmlrpc per user using whm
SOLVED mod_userdir needs to be disabled if running PHP-FPM?
how to disable email user change password option after login
Receiving SSH login alert emails for user that has shell access disabled
WHM > Tweak Settings > Disable login with root or reseller password into the users' c
Top Bottom