Jump to content

WHM API tokens

Chris74
 Share

Recommended Posts

Chris74 Senior Member

Chris74

Posted
Posted

This may be a really dumb question but I'm a little confused about something relating to the use of the API tokens in the server setup.

Correct me if I'm wrong, but the idea of using the API tokens instead of a full root password is that it provides more security, so that WHMCS can only perform the tasks it needs without having full root access.

If I want, I can configure all our servers in WHMCS with the root username and password and it will perform all functions needed - but I'm taking a risk by doing that. So using the API token with only certain privileges would seem to be a sensible solution.

The problem I'm having is with the "Login to WHM" button on the server setup page. When using an API token, I have not provided the root password, therefore any connection made by WHMCS should only be allowed to perform the functions listed in the API token - however, I can simply click this button which will send me through to any server where I will have full root access, seemingly negating the need for tokens and privileges.

A username must be provided - WHMCS won't connect to  a server using a token unless a username is provided. So if the root user is specified, I assume this simply allows full root access anyway.

I assume this is due to the privilege "create-user-session" being set - which could be just as powerful as having the root password anyway - in fact, all a token needs is that privilege, to allow anyone root access in a single command, simply by specifying the root username.

As tokens are not stored encrypted, doesn't this make the use of tokens less secure than using a password, which is encrypted in the database?

I don't really want to pass through to WHM from WHMCS - so perhaps I can remove "create-user-session" without this affecting the functionality of the cpanel module?

 

0
Link to comment
Share on other sites
  • 4 weeks later...
Chris74 Senior Member

Chris74

Posted
  • Author
Posted

I'm right. API tokens on their own present a serious security risk. Anyone gaining access to this unprotected, simple text file will gain full root access. On it's own, the API token is far less secure than using a simple encrypted password. I don't believe WHMCS understand that you need more than just the token on its own. There should be multiple separate layers of security in place. It should also be mentioned that cpanels "API Tokens" are not tokens - it's just an API key. It doesn't expire or change and It isn't used to authenticate.

See this...

https://nordicapis.com/why-api-keys-are-not-enough/

 

0
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated

  I accept