Skip to main content

CLI with 2FA enabled

Comments

7 comments

  • Flaio
    Its a bit early, but after more searching, if feels to me that the cpanel devs have not implemented or are unable to understand how to do this in a way that maintains the improved security by way of automated script running on the very server its connecting to. Seems to me to be something needing improvement and I am forced to either not run the script and do things manually or downgrade login security. The latter of which is never acceptable. Edit - The tfa_validated_securitytoken is mentioned in the following link but looks like auto script will still crash and burn with 2fa enabled and no apparent way to do anything automatic like this with 2fa enabled
    0
  • Flaio
    Have you had an opportunity to look at the following:
    0
  • Flaio
    Update - Yes, uapi CLI did work out quite nicely plus 2FA can stay enabled now. Took a lot of searches though. A whole day of searching for stuff :-D
    0
  • cPanelLauren
    Hi @Flaio I'm really happy to hear that! Thanks for letting us know!
    0
  • rinkleton
    Update - Yes, uapi CLI did work out quite nicely plus 2FA can stay enabled now. Took a lot of searches though. A whole day of searching for stuff :-D

    I'd like some clarification on this. I'm assuming this worked for you because it sounds like the cPanel account has 2fa enabled, but you either authorized with the root account (which never has 2fa)... or with a WHM account that does not have 2fa enabled? So this would mean that if both the cPanel and WHM accounts have 2fa enabled then the API call MUST send a OTP? It seems like 2fa does not apply to the whm and cpanel apis, but does apply to the uapi?
    0
  • rinkleton
    Also. with the UAPI, the only way I got it to work right is if I used the cpanel account's username in the auth but the root or whm reseller's password (I don't remember which). I remember it being kind of funky. Ultimately I want to auth against a higher credential set, but act as the lower level user (which I may not have their credentials including 2fa). If the user has 2fa enabled, it looks like we must pass their OTP. We don't have their key, so we can't produce the OTP. I've had to disable 2fa for all cpanel accounts because of this. I would argue that 2fa in an api setting defeats the purpose because both factors need to be present in the same place at the same time. This creates 1 point of failure.
    0

Please sign in to leave a comment.