SOLVED Disable user login with passwords - SSO only?

aUT

Registered
Dec 30, 2019
4
2
3
UK
cPanel Access Level
Root Administrator
I would like to disable the ability for a user to sign in to their cPanel account using a username and password using the URL https://example.com:2083

All our users log in using WHMCS, then click through to cPanel, (validated though the API token that links WHM to our install of WHMCS) so there is no need to a separate login for cpanel, so I'd rather close this way of accessing the server.

Does anyone know how to disable logins to cpanel using the username and password, while still allowing logins using the API token?

Thanks :)
 
  • Like
Reactions: martin MHC

cPanelHB

Technical Analyst
Staff member
Sep 6, 2018
42
7
83
Houston
cPanel Access Level
Root Administrator
Hello,

You can disable the password, which will prevent the cPanel login page but still allow token or key-based logins.

If you have root command line access, you can use the following:

passwd -l cpanelusername

You will probably also need to disable password resets for cPanel accounts ( WHM » Tweak Settings » "Reset Password for cPanel accounts" )

Does that work for your purposes?
 

aUT

Registered
Dec 30, 2019
4
2
3
UK
cPanel Access Level
Root Administrator
Hi @cPanelHB

That gets me some of the way there.... While it successfully disables password access without blocking token/API access, if I run that code on a user, the user shows as suspended in WHM, which I suspect may lead to suspension/unsuspension issues in WHMCS. Is there a way to get around this and prevent the user showing as suspended while still having the password locked?

I assume it may require modifying how WHM determines if a user is suspended?
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,272
313
Houston
Hi @aUT

You're correct, I did confirm that this does, in fact, suspend the account. Account suspension uses the same method to disable the password on the account which wouldn't be a viable solution in this case. There really isn't a native way to do this in cPanel, but I do think it's worthy of a feature request. I'd suggest going that route and adding the link to the thread once it's complete.
 

aUT

Registered
Dec 30, 2019
4
2
3
UK
cPanel Access Level
Root Administrator
@cPanelLauren, it doesn't actually suspend the account, the account will still be accessible and all services appear to work, however WHM will view it as suspended. I suspect that WHM uses the lock status as a shortcut to see if an account is suspended, which is why locking an account causes it to show as suspended.

I have however possibly got another solution.

Locking the account prepends "!!" to the user's encrypted password in the /etc/shadow account, meaning that no password will ever match the hash. It looks like it's also common practise to set the /etc/shadow password entry with a "*" to render it not possible to log in as that user with a password.

I cannot see any negative repercussions to this for WHM, however it would be good to know if there is anything I'm missing! Any thoughts?
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,272
313
Houston
@cPanelLauren, it doesn't actually suspend the account, the account will still be accessible and all services appear to work, however WHM will view it as suspended. I suspect that WHM uses the lock status as a shortcut to see if an account is suspended, which is why locking an account causes it to show as suspended.
I am aware, but having it appear suspended, with the unknown of what else it's affecting is enough to make it unviable in my opinion.

I have however possibly got another solution.

Locking the account prepends "!!" to the user's encrypted password in the /etc/shadow account, meaning that no password will ever match the hash. It looks like it's also common practise to set the /etc/shadow password entry with a "*" to render it not possible to log in as that user with a password.

I cannot see any negative repercussions to this for WHM, however it would be good to know if there is anything I'm missing! Any thoughts?
prepending the password entry with a * will inhibit logins and won't show the user as suspended in WHM.

Prepending the password entry with a !! is exactly the same thing that passwd -l $user does. So this will show as suspended in WHM.

Both of these allow for password resets. So it is potentially possible to reset the password and log in with the new one.

You can disable password resets by going to WHM>>Service Configuration>>Tweak Settings -> Reset Password for cPanel accounts and toggling that to off. Keep in mind this only changes the ability to reset the password via email, password resets initiated through UAPI or WHM will replace the entry in /etc/shadow and allow for password logins once more
 
  • Like
Reactions: martin MHC