The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Integrate Yubikey into WHM Login

Discussion in 'cPanel Developers' started by medfordite, Dec 24, 2011.

  1. medfordite

    medfordite Member

    Joined:
    Dec 13, 2011
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    In reading this thread they mentioned Yubikey as a suggestion for integrating into cPanel/WHM.

    I have a Yubikey and was playing around with the library found here and used their demo page supplied in the archive to test my login and Yubikey which worked perfectly after some tweaking to the server to include the PostgresSQL database server and granting the correct permissions...etc...

    With all of this done, their code looks basically like this to integrate into your site's login code:

    Code:
    <?php
    require_once 'Auth/Yubico.php';
    include "config.php";
    
    $username = $_REQUEST["username"];
    $password = $_REQUEST["password"];
    $mode = $_REQUEST["mode"];
    $key = $_REQUEST["key"];
    $passwordkey = $_REQUEST["passwordkey"];
    
    # Quit early on no input
    if (!$key && !$passwordkey) {
      $authenticated = -1;
      return;
     }
    
    # Prepare passwordkey using password and key variables
    if (($password && $key) && !$passwordkey) {
      $passwordkey = $password . ':' . $key;
    }
    
    # Convert passwordkey fields into password + key variables
    if ($passwordkey) {
      $ret = Auth_Yubico::parsePasswordOTP($passwordkey);
    } else {
      $ret = Auth_Yubico::parsePasswordOTP($key);
    }
    
    if (!$ret) {
      $authenticated = 31;
      return;
    }
    
    $identity = $ret['prefix'];
    $key = $ret['otp'];
    
    # Check OTP
    $yubi = new Auth_Yubico($CFG[__CLIENT_ID__], $CFG[__CLIENT_KEY__]);
    $auth = $yubi->verify($key);
    if (PEAR::isError($auth)) {
      $authenticated = 1;
      return;
     } else {
      $authenticated = 0;
     }
    
    # Fetch realname
    $dbconn = pg_connect($CFG[__PGDB__])
      or error_log('Could not connect: ' . pg_last_error());
    if (!$dbconn) {
      $authenticated = 2;
      return;
     }
    
    # Admin mode doesn't need realname or username/password-checking
    if ($mode == "admin") {
      return;
     }
    
    $query  = sprintf ("SELECT username FROM public WHERE id='%s'",
               pg_escape_string($identity));
    $result = pg_query($query);
    if ($result) {
      $row = pg_fetch_row($result);
      if ($row[0]) {
        $realname = $row[0];
      }
     }
    
    # Check password (two-factor)
    if ($passwordkey) {
      $query  = sprintf ("SELECT password FROM public WHERE id='%s'",
                 pg_escape_string($identity));
      $result = pg_query($query);
      if ($result) {
        $row = pg_fetch_row($result);
        if ($row[0]) {
          $db_password = $row[0];
        }
      }
    
      if ($db_password == $ret['password']) {
        $authenticated = 0;
      } else {
        $authenticated = 4;
        return;
      }
     }
    
    # Check username (two-factor legacy)
    if ($mode == "legacy") {
      if ($realname == $username) {
        $authenticated = 0;
      } else {
        $authenticated = 5;
        return;
      }
     }
    ?>
    
    
    
    The yubico.php is where all the good stuff happens. Some of the other calls for Admin Modes and other items are just to show the database call from the Postgres if you set a username/password in there earlier.

    If I were to set up a database under my main account which is basically mydomain.com (WHM lives on server.mydomain.com), would it be difficult to take some snippets from the code above and place it in the WHM Login file for increased security and call from the database?
     
  2. medfordite

    medfordite Member

    Joined:
    Dec 13, 2011
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    *BUMP* Anyone?
     
  3. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    You could put PHP code on your own site then make use of /usr/local/cpanel/Cpanel/LogMeIn.pm to handle logging into WHM. However, that does nothing to the actual login screen of cPanel, which even if you were to delete that (WARNING: may have unintended side-effects, so just speaking hypothetically here)... anyone that knows some basic HTML should be able to bypass any lack of login theme since cpsrvd is only expecting to receive a username, password and standard HTTP headers.

    I'm just curious though - why require Yubikey for web-based login but not plain-text FTP... or any other protocol where a cPanel login can be used? It'd make more sense to incorporate multi-factor authentication for every place that login can be used, not just one of the strongest places (built-in forced HTTPS, IP verification, cookie spoofing protection, XSRF protection etc.). However, as mentioned in the thread you reference, that can only be done well once we support pluggable authentication.
     
  4. medfordite

    medfordite Member

    Joined:
    Dec 13, 2011
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    The reason behind integrating multi-factor login is because of the sheer number of hack attempts that come in reported and blocked by the firewall. I am very highly security minded and know that if the hacker were to view the YubiKey login field - they would move on or at least be a bit thwarted.

    I have gone so far as to consider just making a simple PHP page with the login and username/YubiKey combo and redirecting to that instead, but haven't gone to far in that area. Just trying to gauge what may be required to add the code into the present login. It doesn't seem like it would be too difficult, but then again, I have been known to break things by thinking it wouldn't be too difficult. :)

    I am thinking at this exact moment of doing an 'intercept' to pre-authenticate the YubiKey first, then pass the 'all clear' to the normal WHM log in using Apache.

    I do have a VERY strong password tied to the root account and change that as well from time to time to keep things secure. While others are perfectly content knowing that their server is safe by the alerts, I am more alarmed when I see those attempts coming in and being blocked, Even though the job is being done by protection, I prefer to have a minimal amount of attempts or none at all.
     
  5. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    On my server, I never login as root directly. On SSH, I su, and in WHM I have a secondary account with root-level access and I have IP Address verification enabled in WHM. Looking at my firewall logs periodically, most of the stuff I see coming into my server is POP3 and FTP. Then again, I followed the CentOS instructions on locking down SSH and oddly enough it's kinda rare for me to have someone trying to login to SSH on its current port. Technically, you could probably change the ports for everything except cPanel&WHM, but that would just create more support issues for you than it may be worth.

    I can't wait to see this Yubikey stuff work with cPanel myself - especially since YubiCo just ran a good sale on Yubikeys.
     
  6. medfordite

    medfordite Member

    Joined:
    Dec 13, 2011
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I log in to the WHM directly on the front end when I need to tweak Apache and do various things there. If changing the port was enough, I think I would do that myself. But in this case, not really an ideal thing at the moment. Since most hackers can do a port scan on an active server, they can find the port pretty quickly for logins.

    When I use SSH for the server is usually for low level tasks or installation of other software to enhance the cPanel or WHM front end.

    I have a semi-static IP address, but it does change seemingly randomly and very far apart. So, I can generally count on my IP for a month or two at a time, but in the event that it changed, I don't want to have to 'fix' the IP auth manually.

    Most my alerts come in from hackers trying to hit the WHM login.
     
  7. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Yes, but surprisingly that's not the case in my experience. I'm guessing the whole finding of vulnerable servers has been outsourced to botnets and for the sake of speed, don't bother portscanning.

    As for most things hitting the WHM login, agreed - that is an issue that multi-factor auth can address, especially since the port number for WHM cannot be (reliably) changed.
     

Share This Page