cPanel & WHM Version 98 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

accesshash needs more security

cPanelPeter shared this idea 4 years ago
Not Planned

As server administrator, I would like to see more security added to the accesshash. Right now one can generate an accesshash file and it can then be used across multiple servers. There is nothing to tie it to a specific server, ip address, or user.


I think a better solution would be to tie it to a specific server by IP address for example so that only that specific server can use it. All others would simply fail the authentication.


Additionally, perhaps adding an expire value too may be beneficial. We may change our root password and other passwords periodically, but not many people remember to change the accesshash. By having an expire value, you can then set the accesshash to expire in 30 days (forcing you to generate a new one).

Best Answer
photo

cPanel & WHM's use of access hashes is deprecated, and this request will not be fulfilled. We recommend that users switch to Remote Access Keys at their earliest convenience. Some documentation to help that:

Developer Documentation

Video Introduction to the Manage API Tokens interface

Replies (10)

photo
1

Redelin.Tambem esta junto

photo
1

I would love to see this feature implemented, in case of possible data leakage from billing software or any other tool i wouldn't want that key to be used by anyone in the wild. Re-generating the keys is a must, but being able to limit the damage until the exploit is found should be of priority.

photo
1

This is a requirement!


Last year I had someone use an Exploit on my WHMCS installation that emailed the remote access key to a email of choice. This then allowed the user to login and change my server's configuration and breach the billing area. I lost time and money. I had to re-issue all of my SSL Certificates and change every password. This was a annoying task and a IP lock would have assisted in mitigating the attack. I have my billing area now on it's own private machine which, in itself, is near locked down allowing only HTTPS connections. Being able to lock down the access key to only its IP should be a easy feature to develop and will make my system near full proof.

photo
1

Yes please ! We already do this for ssh keys so it makes sense to be able to provide a list of authorised IP's.

photo
1

We limit root logins with PAM (/etc/security/access.conf), so that root can only login from certain IPs. Just as a precaution for possible brute forcing.


Would limiting whostmgr in tcpwrappers do this as well? I thought that the remote access hash is used only by WHM, so that should work, We already do this on servers without reseller clients, so that WHM is not accessible from anywhere but our office IP.


Add "whostmgr : IPADDR" to /etc/hosts.allow, and then add "whostmgr : ALL" to /etc/hosts.deny.

photo
1

This feature is a necessity. Cpanel needs to prioritize this feature as this will add a strong layer of security for the massive amount of potentially vulnerable billing systems out there.

photo
1

Now that we have API CLI commands, we should consider doing away with the access hash entirely, and move to running API commands over SSH only.

photo
2

While this request is not yet resolved, I wanted to point everyone to some work that we did in 62 as a step in resolving these concerns: remote access keys. This allows you to add many authentication keys, and manage those keys on an individual basis. Future plans include ACLs, IP limitations, and associating them with different (non-root) users.

photo
1

In version 68 we added a slew of new and updated permissions to the access key and reseller systems. Read about them in the 68 release notes: https://documentation.cpanel.net/display/68Docs/68+Release+Notes#id-68ReleaseNotes-NewACLsNewaccessprivileges

photo
1

cPanel & WHM's use of access hashes is deprecated, and this request will not be fulfilled. We recommend that users switch to Remote Access Keys at their earliest convenience. Some documentation to help that:

Developer Documentation

Video Introduction to the Manage API Tokens interface

Replies have been locked on this page!