Chris74 Posted January 5, 2019 Share Posted January 5, 2019 This may be a really dumb question but I'm a little confused about something relating to the use of the API tokens in the server setup. Correct me if I'm wrong, but the idea of using the API tokens instead of a full root password is that it provides more security, so that WHMCS can only perform the tasks it needs without having full root access. If I want, I can configure all our servers in WHMCS with the root username and password and it will perform all functions needed - but I'm taking a risk by doing that. So using the API token with only certain privileges would seem to be a sensible solution. The problem I'm having is with the "Login to WHM" button on the server setup page. When using an API token, I have not provided the root password, therefore any connection made by WHMCS should only be allowed to perform the functions listed in the API token - however, I can simply click this button which will send me through to any server where I will have full root access, seemingly negating the need for tokens and privileges. A username must be provided - WHMCS won't connect to a server using a token unless a username is provided. So if the root user is specified, I assume this simply allows full root access anyway. I assume this is due to the privilege "create-user-session" being set - which could be just as powerful as having the root password anyway - in fact, all a token needs is that privilege, to allow anyone root access in a single command, simply by specifying the root username. As tokens are not stored encrypted, doesn't this make the use of tokens less secure than using a password, which is encrypted in the database? I don't really want to pass through to WHM from WHMCS - so perhaps I can remove "create-user-session" without this affecting the functionality of the cpanel module? 0 Quote Link to comment Share on other sites More sharing options...
Chris74 Posted January 30, 2019 Author Share Posted January 30, 2019 I'm right. API tokens on their own present a serious security risk. Anyone gaining access to this unprotected, simple text file will gain full root access. On it's own, the API token is far less secure than using a simple encrypted password. I don't believe WHMCS understand that you need more than just the token on its own. There should be multiple separate layers of security in place. It should also be mentioned that cpanels "API Tokens" are not tokens - it's just an API key. It doesn't expire or change and It isn't used to authenticate. See this... https://nordicapis.com/why-api-keys-are-not-enough/ 0 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.