- Joined
- Feb 27, 2003
- Messages
- 9,158
Hello,
Here's a sneak peek at an upcoming feature called "Security Questions" (fairly self explanatory):
http://www.directadmin.com/features.php?id=1439
Accessed via:
Password Icon -> Manage Security Questions
It will allow any User to select multiple questions from a list, or create their own quesitons, and provide an easy-to-remember value answer to these question.
Upon logging into DirectAdmin, the User will be randomly asked one of their selected questions, and a valid answer must be provided.
Optionally, each incorrect answer will notify that User (can be disabled by the User).
A new, randomly chosen question is displayed if a wrong answer is given.
The client will be given 5 attempts to enter a correct value, after which their session will be deleted, and the User and all Admins will be notified.
Optionally be added to the ip_blacklist, and the Admin can also set if they'd like to give the client a warning about being added to the blacklist, before the last attempt is given (else, after 5, they'll not be able to connect any longer)
Answers are Case-Sensitive!! (as they're crypt() encoded)
Another side-feature is the ability to shut-off the API for the account (when logging in directly with the user/pass), as an API call cannot use the Security Questions feature (easily), so they'd bypass the feature.
However, Login Keys and Session Keys will always be allowed to use bypass the Security Questions.
1) If you have 0 Login Keys, you've got nothing to worry about.. and if you do, you can restrict who/what/where/howmanytimes, it can login, etc.. so no issue there.
2) Session Keys are for plugins to connect to the API using an already existing session (already passed the Security Question check), and they're only allowed from 127.0.0.1, so that's also fine.
This feature is already finished, and you're welcome to try it now by downloading the pre-release binaries:
http://help.directadmin.com/item.php?id=408
However, like all fresh new features, they may be bugs as testing on this new feature has only been limited (but so far, so good)
SKINS:
It's recommended that anyone using a Custom Skin (not the included enhanced, default, or power_user) update their skin to a version that supports these changes (Can even be done and released before skin clients have the new version of DA)
If you don't... you'd run the risk of enabling the feature with a DA skin, changing skins to a non-supported version.. and when you login, ending up looking at a 404 page (which would be the form to submit the answer).
So skin designers, I'd recommend these new pages be added sooner than later.
John
Here's a sneak peek at an upcoming feature called "Security Questions" (fairly self explanatory):
http://www.directadmin.com/features.php?id=1439
Accessed via:
Password Icon -> Manage Security Questions
It will allow any User to select multiple questions from a list, or create their own quesitons, and provide an easy-to-remember value answer to these question.
Upon logging into DirectAdmin, the User will be randomly asked one of their selected questions, and a valid answer must be provided.
Optionally, each incorrect answer will notify that User (can be disabled by the User).
A new, randomly chosen question is displayed if a wrong answer is given.
The client will be given 5 attempts to enter a correct value, after which their session will be deleted, and the User and all Admins will be notified.
Optionally be added to the ip_blacklist, and the Admin can also set if they'd like to give the client a warning about being added to the blacklist, before the last attempt is given (else, after 5, they'll not be able to connect any longer)
Answers are Case-Sensitive!! (as they're crypt() encoded)
Another side-feature is the ability to shut-off the API for the account (when logging in directly with the user/pass), as an API call cannot use the Security Questions feature (easily), so they'd bypass the feature.
However, Login Keys and Session Keys will always be allowed to use bypass the Security Questions.
1) If you have 0 Login Keys, you've got nothing to worry about.. and if you do, you can restrict who/what/where/howmanytimes, it can login, etc.. so no issue there.
2) Session Keys are for plugins to connect to the API using an already existing session (already passed the Security Question check), and they're only allowed from 127.0.0.1, so that's also fine.
This feature is already finished, and you're welcome to try it now by downloading the pre-release binaries:
http://help.directadmin.com/item.php?id=408
However, like all fresh new features, they may be bugs as testing on this new feature has only been limited (but so far, so good)
SKINS:
It's recommended that anyone using a Custom Skin (not the included enhanced, default, or power_user) update their skin to a version that supports these changes (Can even be done and released before skin clients have the new version of DA)
If you don't... you'd run the risk of enabling the feature with a DA skin, changing skins to a non-supported version.. and when you login, ending up looking at a 404 page (which would be the form to submit the answer).
So skin designers, I'd recommend these new pages be added sooner than later.
John