Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Poll - Having access to client's passwords

Discussion in 'General Discussion' started by imagic, Aug 4, 2003.

?

Root should have access to each account's password

  1. I totally agree

    130 vote(s)
    54.4%
  2. I totally disagree, and my reasoning is in the below post

    80 vote(s)
    33.5%
  3. I don't care

    12 vote(s)
    5.0%
  4. We never have problems, so we don't need access to clients' accounts

    17 vote(s)
    7.1%
  1. royhobbs

    royhobbs Member

    Joined:
    Apr 30, 2003
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    151
    Location:
    Utah
    I manage a server with about 550 accounts, the majority of them, (probably over 500) are OSCommerce users. I also help them manage their oscommerce stores.

    When the accounts are setup in WHM I get an email containing their username and password. I find this very useful. However, if they change that password I get no notification.

    Why would I want this some of you have asked? I handle all the technical support for these people, both on their cpanel accounts, as well as their shopping cart.

    Yes, you can login to their cpanel as root, but certain functions are disabled, such as PHPMyAdmin. This makes it difficult to troubleshoot a variety of problems, (there are other functions disabled as well...can't remember them all). So at that point I have to ask for a password from the user. (Unless someone knows a workaround for this) :(

    Yes, it's a hassle to ask them. Yes it may be a security risk to run passwords another way. I am no security expert by any means, so I can't speak on the subject too much, but if the server emails me the password on account creation, I would think it would be easy enough to do it on a change? Am I wrong? If so that's fine, I can live with it.

    However, I did want to let some people know the reasons for wanting to do something like this. For me, it would be a huge timesaver. Playing phone tag with users = inefficient for both of us. :)

    Thanks.

    Ben

    cPanel.net Support Ticket Number:
     
  2. dadman

    dadman Member

    Joined:
    Sep 7, 2003
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    151
    Location:
    Kansas
    If I want in, I can get in!

    I can access any users account for any reason. In my TOS.

    I don't need their password to access the account. I have the root access and therefore have access to the entire server.

    dadman

    cPanel.net Support Ticket Number:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. imagic

    imagic Well-Known Member Verifed Vendor

    Joined:
    Jan 16, 2003
    Messages:
    156
    Likes Received:
    0
    Trophy Points:
    166
    Re: If I want in, I can get in!

    Yes, you have access to the whole server. So if a client says they can't access their account using an ftp program, how do you check it?

    If a client says they can't publish using frontpage, how do you check it?

    Just wondering.

    cPanel.net Support Ticket Number:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    191
    Re: Re: If I want in, I can get in!

    I just make all my customers use the root password...

    cPanel.net Support Ticket Number:
     
  5. imagic

    imagic Well-Known Member Verifed Vendor

    Joined:
    Jan 16, 2003
    Messages:
    156
    Likes Received:
    0
    Trophy Points:
    166
    Haha! You are joking, aren't you? :eek:

    cPanel.net Support Ticket Number:

    cPanel.net Support Ticket Number:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    191
    Yeah.:p

    cPanel.net Support Ticket Number:
     
  7. dadman

    dadman Member

    Joined:
    Sep 7, 2003
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    151
    Location:
    Kansas
    I really do hope you are joking!

    When you set up an account, you set up a password, hopefully you are organized enough to keep a copy of the conformation that you rceive when you set up the account, it has the password. If the password has been changed you can change it via the WHM and still gain access as the user to check things out that they are having problems with.

    Ask the user if they can get into the Cpanel, if they can then they can access via FTP, FP, or telnet if allowed and FP is set up on the domain.

    Of course there is always the user that blocks their own IP address. (Yes, it happened!) It didn't rank up there with the angry customer demanding to know where the "Any" key was on his keyboard, but it was nearly as close and I still had to be picked up off the floor.

    Guy's, the can build a better GUI, make it as idiot proof as humanly possible, and tommorow they will introduce ID-10T Ver 12.1.

    At least this isn't as embarassing as posting a problem on the WHM forum for the "Mailman Problem" only to find out that the domain owner had his domian pointed to the wrong servers. I worked on that issue for 4 days before I did a DNS lookup to find out what the real problem was, ID-10T Ver. 12.2.

    Learn one thing and learn it well, never take for granted that a user will ever read instructions, follow directions, or have any knowlege what-so-ever about HTML, domain ownership, CGI, GUI, PHP, MySQL, DNS, Linux, DOS, or the Window$ OS that they have installed on their system. You are lucky if they have found the "Any" key, let alone had the ability to enter their payment information so that you get paid for hosting.

    Face it, WHM, and Cpanel are linux for morons. Thank God for both of them or I would never get any sleep.

    dadman

    cPanel.net Support Ticket Number:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. Banana

    Banana Member

    Joined:
    Jan 31, 2003
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    151
    People tend to use the same passwords for a variety of the systems they access. Knowing their password would comprimise the other accounts they have on other systems.

    cPanel.net Support Ticket Number:
     
  9. efeito

    efeito Well-Known Member PartnerNOC

    Joined:
    Jul 24, 2003
    Messages:
    141
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    .pt
    Yah,

    sometimes the problem is so obvious that you cant see it. I have a reseller that complains about ONE domain of his 15 domains that didnt work. I says that the problem was mine, that i make a mistake setting up the nameservers.

    I do all the checks, i ask for help on my datacenter support i put everybody helping me to see where the problem is... After 2 ou 3 days of research, someone remembers: did you see the domain status?

    Yes, the status of the domain was "Registrar-Hold".

    That's why the domain didnt work.

    About the passwords on Cpanel, my experience, 90% of the customers dont change it. I move some customers from another server by WHM with that "transfer from another server with login/pass". And i do it, account by account for 40 accounts, only 3 have changed the original password. And on my welcome email i suggest to them to change the password.

    cPanel.net Support Ticket Number:
     
  10. drmuey

    drmuey Member

    Joined:
    Jun 10, 2003
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    151
    Yes plain password is evil. What I've done is made it so a user says "I can't ftp/frontpage/cpanel because my password is wrong and I can't remember it. Well then they or I got to a form and fill in the domain and ask for the password.
    It adds theri request to a database and sends an email to the main account email asking if they really want to do this and if they do they click on a link which has reference to the db entry previously mentioned and then they submit the form.

    Then a random password is generated, their account is changed to it and it is email to them. Then they can log in and change it to whatever they want.

    Doesn't that fix anything to do with lost passwords and still retain the security of un decryptable passwd's for our dear customers?

    Just my .02
    Dan

    cPanel.net Support Ticket Number:
     
  11. yaax

    yaax Well-Known Member

    Joined:
    Jun 15, 2003
    Messages:
    67
    Likes Received:
    0
    Trophy Points:
    156
    Cpanel passwords seeing

    It is not secure to show for admin users passwords as is.
    But Cpanel and WHM MUST have a feature available for admin and for resellers - to be able save encrypted users passwords and change it, and after that restore it as is.
    This feature is a MUST - because there are very frequent situations when admin or reseller need to access users accounts as regular users - for instance phpMyAdmin work only with original user password, but for other side it is not acceptable to change user password every time - so there should be a mechanism for backup and restore users passwords in secure encrypted form.

    cPanel.net Support Ticket Number:
     
  12. linuxman

    linuxman Well-Known Member

    Joined:
    Sep 20, 2003
    Messages:
    84
    Likes Received:
    0
    Trophy Points:
    156
    NeutralGold, am I missing something, how do you access a client's Cpanel. We recently had an issue that we thought we should take a look at an email address and I wanted to do it the easy way and go through cpanel, but I had no idea how to do this. Thanks in advance.
     
  13. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    191
    Login with their username and your root password.
     
  14. linuxman

    linuxman Well-Known Member

    Joined:
    Sep 20, 2003
    Messages:
    84
    Likes Received:
    0
    Trophy Points:
    156
    Thanks for the quick reply. I guess that's what the link is for in Cpanel. Thanks again.
     
  15. imagic

    imagic Well-Known Member Verifed Vendor

    Joined:
    Jan 16, 2003
    Messages:
    156
    Likes Received:
    0
    Trophy Points:
    166
    Here's a perfect example of why we need the client's passwords. This is the reply I got from the cpanel folks about an issue we're having:

    Hello,

    Please provide me a login and password for a Control Panel that is not working. I am able to login with the root password for problemdomain.com Control Panel, however the normal password would be alot more helpful.

    Thank you.
    --
    Kyle Pinkley
    kyle@cpanel.net
    Customer Support Representative
    cPanel, Inc.

    If storing the passwords in a non-encrypted format is what some people are worried about, why can't we store them encrypted with a password to get access to them.

    Nick, please, please, please, can this be an option for the majority of us who want access to the passwords?

    cPanel.net Support Ticket Number: 31553
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. barliya

    barliya Registered

    Joined:
    Jan 19, 2004
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    151
    I'm new to hosting

    But how do you authenticate a user that want to go into the memeber area of your site, while you want him to use the same user/pass he picked.

    Thanks,
    Avi
     
  17. HostIt

    HostIt Well-Known Member

    Joined:
    Feb 22, 2003
    Messages:
    151
    Likes Received:
    1
    Trophy Points:
    168
    You don't seem to understand that there are different types of encryption. The way the passwords are encrypted now, they cannot be decrypted. This is known as one-way encryption.

    You are suggesting storing passwords that *can* be decrypted. This is simply not acceptable to "the majority" of us, as it is far, far, FAR less secure.
     
  18. Steve-PWH

    Steve-PWH Well-Known Member

    Joined:
    Jun 30, 2002
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    166
    Worse idea in the history of bad ideas this one

    Passwords are hashed so the ONLY way to recover them is brute force and asuming its a decent password thats gonna be a long long time to crack

    Let me explain how its done

    Password is stored hashed (This can not be reversed as only the hash signiture is stored)

    Customer logs into Cpanel, cpanel takes password and hashes it and compares that hash with stored one (Only the correct password will have that same hash)

    If match - Logged in

    For what you whan the password would have to be stored either plain text (BAD IDEA) or reversable encryption (Better but hashing far more secure)

    So its bad for security and its bad for the customer cos they may use that password all over the shop so why should you be able to see it?

    Need access use root / reseller password

    Need to bug fix FTP or somthing needing account password? Reset it in WHM and inform customer to reset it back once you finished (Make sure they have valid email on record)

    Also people said about phpMyAdmin, Just login as root via WHM, dam

    Also you should advise customers at ALL times to change password one first use of Cpanel (put valid email in first though)

    I can not believe so many people voted yes. Like OMG u like being hacked? Even forums use one way hashing these days.

    BAD BAD BAD IDEA

    DO NOT IMPLEMENT INTO CPANEL PLZ

    *BTW i voted no :P
     
    #38 Steve-PWH, Mar 6, 2004
    Last edited: Mar 6, 2004
  19. hostedzone

    hostedzone Member

    Joined:
    Aug 8, 2003
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    151
    Location:
    Maine, USA
    After looking at the results of the poll and noting how many people do want this as an option but also understanding both the pro and cons, I'd suggest maybe making the option configurable from the Reseller settings so each Reseller and choose to enable or disable this option. Perhaps you could go a step further and if it is enabled have a section in the users cpanel where they can 'Opt Out' of having the reseller/admin/root from being able to view thier password.

    This would be the best option since so many people want this as a feature, but there are still allot who do not.
     
  20. HostIt

    HostIt Well-Known Member

    Joined:
    Feb 22, 2003
    Messages:
    151
    Likes Received:
    1
    Trophy Points:
    168
    I really don't think you'll EVER see this feature, as it would simply open up way too big a security hole.
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice