The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Old account passwords STILL WORK!

Discussion in 'General Discussion' started by dansgalaxy, Jul 8, 2009.

  1. dansgalaxy

    dansgalaxy Well-Known Member

    Joined:
    Jan 29, 2007
    Messages:
    92
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Reading, UK
    cPanel Access Level:
    Root Administrator
    I have a client which is getting very frustrated, as his old passwords still work (as well as new).

    I have spoken to the company responsible for my server license and ended up changing password from command line and that seemed to wipe out old passwords, but now hes changed the password to his own one the problem remains and all his old passwords still work.

    This is a urgent security issue for the client as he gave access to someone to do something and is now unable to revoke it.

    Any ideas as to why and how the hell this is happening?
     
  2. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Can you provide me with detailed steps as to what the user is doing that is resulting in old passwords working? This will assist me in replicating this issue.
     
  3. dansgalaxy

    dansgalaxy Well-Known Member

    Joined:
    Jan 29, 2007
    Messages:
    92
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Reading, UK
    cPanel Access Level:
    Root Administrator
    Changing password..

    He has changed password using WHMCS (which obv does changes via API module).

    I have personally change his password via WHM using both the sub form on the list accounts and the dedicated account password change page.

    They would enable the new passwords to work but the old passwords still work (currently he can use 3 passwords to login).

    I spoke with support for where i get my server/cpanel from their solution was to change password from command line using /scripts/chpass they did this and i did this and it appeared to stop the old passwords working.

    The client then changed the random gen password which i changed it to to his own... but apparently now the 3 passwords still work and allow login to the account.
     
  4. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    I am unable to replicate this issue by using WHM's password modification feature.

    Things to check for:
    1. Is the customer closing their web browser after logging out? If you are using the default HTTP authentication, the user is logged in until they close their web browser.

    2. When logging in as the customer with their password, do you ever see a message at the top indicating they're logged in as a reseller?

    If the user is closing their browser and they aren't logging in with their username and a reseller's password (which can happen if a reseller has a weak or commonly used password), please submit a support ticket so we can see his happening on your server and determine the cause of this issue: http://tickets.cPanel.net/submit
     
  5. dansgalaxy

    dansgalaxy Well-Known Member

    Joined:
    Jan 29, 2007
    Messages:
    92
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Reading, UK
    cPanel Access Level:
    Root Administrator
    I thought could be password override too but it isnt, I'm root (and root pass is random gen and full strength and i know the users passwords... so thats not it.

    I have just logged in and out (and closed the browser between each try) with 3 different passwords on the account. No override notices shown so im fully confident this isn't a user side issue.

    Is it even possible for one account to have many same level (eg, not override by reseller/root) passwords?

    EDIT: Just submitted a ticket, Request id is: 454218
     
    #5 dansgalaxy, Jul 8, 2009
    Last edited: Jul 8, 2009
  6. InterServed

    InterServed Well-Known Member

    Joined:
    Jul 10, 2007
    Messages:
    255
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    DataCenter Provider
    Hint: If you are using raid and one or more hdd's crashed -> system will turn them as read-only (happens on vps'es mostly from what i seen in the past).
     
  7. dansgalaxy

    dansgalaxy Well-Known Member

    Joined:
    Jan 29, 2007
    Messages:
    92
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Reading, UK
    cPanel Access Level:
    Root Administrator
    Not sure how that relates to the issue?
     
  8. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    MySQL, Mail, and FTP would be one thing but am I correct in assuming
    you are talking about Cpanel / WHM / SSH passwords?

    For the later, the passwords are related to the server so it doesn't make
    any sense that a changed password would still work unless an open session
    were carried forward perhaps (See files in /tmp) or a new account were
    created but then that would have a new login.

    Does the user have duplicate entries in /etc/passwd? :confused:

    (/etc/shadow .... same question)

    Interserved may have made that side RAID comment thinking that perhaps
    your user account files weren't getting updated but if that were the case
    then the new passwords would not work and logins would only work with
    the original unchanged passwords.

    I don't know, it is is as you say, there is something definitely really screwy
    going on with your server that does not make any logically sense without
    seeing things and digging into it first hand.
     
  9. dansgalaxy

    dansgalaxy Well-Known Member

    Joined:
    Jan 29, 2007
    Messages:
    92
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Reading, UK
    cPanel Access Level:
    Root Administrator
    Right ok...

    Was on support ticket all yesterday with cPanel... think got it fixed.

    It appears that some how the password algo for the server was changed from Md5 to DES so some passwords saved as md5 (presumably those which havent been changed in a while/since algo change)

    So I was instructed to change algo via command line and re-changed the users password so saved as md5.

    It appears the problem was because DES only allows a set number of characters and anything extra is ignored so when my client changed his password to something he was just changing the last few chars meaning the first x letters were the same.

    Now been corrected so hopefully wont have the issue again, was certainly a mind boggler. lol
     
Loading...

Share This Page