New Major Feature - Login Keys

DirectAdmin Support

Administrator
Staff member
Joined
Feb 27, 2003
Messages
9,158
Hello,

For DirectAdmin 1.40.2, there will be a very useful new feature called "Login Keys".
http://www.directadmin.com/features.php?id=1298

They basically act as additional passwords, except they can be heavily restricted based on several criteria:
- Number of Uses
- Expiry Date
- IPs or IP ranges that are allowed to use them
- Commands they are allowed to run

The main purpose for this feature is to allow any API script to connect to your DA account, to do whatever it needs to do, but to do so more securely, without needing to give out your main password.

Main applications:
- Multi Server Setup
- Billing Software
- Local Scripts

It's also possible to use the password for the main interface for temporary access (eg: technical support). The expiry, IP restrictions, and ability to automatically delete the key once it's finished, make it handy for this purpose.

If you'd like to try it now, grab the latest pre-release binaries:
http://help.directadmin.com/item.php?id=408

Note that it's still in beta testing, as it's quite new, so there may be bugs.

John
 
Hello,

I've finally done some first tests, so that is what I've found out:

1. I created a key for admin, with secretkey as a Key Value. So I'll have admin as a login, and secretkey as a password.

2. I've allowed these commands only:

Code:
CMD_API_DNS_ADMIN
CMD_DNS_ADMIN
CMD_LOGIN
CMD_LOGOUT

I need CMD_LOGIN, as without it it seems not possible to get through authorization.

3. And now as I try to login into

http://server.powered-by.da:2222/

I fail, and it seems to be OK. Right? As HTM_INDEX is not within allowed.

OK, now I tried

http://server.powered-by.da:2222/CMD_DNS_ADMIN

and I managed to login. But as soon as I click a link I should enter my login and password again. I guess it's OK if to use with API. But what I've missed? What command should be allowed to make use of cookies or what else to keep me logged in? Or it is how it's designed to work?
 
Hello,

HTM commands are not part of the allowed list... and not currently available in the list.

If you run DA in debug mode, when accessing /, you'd see this error
Code:
1.2.3.4 attempted to login as admin using login_key test, but the command () is not in the key's allowed list.
Perhaps I could add a checkbox like "Allow this key to access HTM files"?
Should be sufficient, if you're looking to let someone else actually login to the interface.

John
 
Hello John,

Perhaps I could add a checkbox like "Allow this key to access HTM files"?

I guess, it is reasonable, as we (and somebody else) might need to create a Key for a real user (with limited access), who will work with Directadmin in a browser.


Regarding previous issue, I wrote about:

But as soon as I click a link I should enter my login and password again. I guess it's OK if to use with API. But what I've missed? What command should be allowed to make use of cookies or what else to keep me logged in? Or it is how it's designed to work?

I did not manage to reproduce it, now it seems I stay logged in without a need to enter a login and a key every time I visit a new page from allowed list in a browser. So it seems it's working OK now, and it probably was an error on my side (a broken VPN session or routing and a mix of IPs within one session).


But, I guess I've found a minor bug. If a key value somehow matches the admin password, for whom I create a key, it won't be possible to login with that key. Would it be reasonable to add a check on the subject to the form?
 
Another issue, or a designed behavior which might mislead or confuse a little.
When creating a key we can limit

Number of logins that can be used with this key.

But it actually counts not logins only, but all commands on the server. So when I want to access

/CMD_DNS_ADMIN?

it will be counted as 2 logins, and then when I choose a domain from a list, and the action gets counted again, and so on.

So I guess it should either be re-designed to count only logins, i.e. accesses to CMD_LOGIN; or be said in other words, let's say:

Number of commands that can be used with this key.

Note, I did not check it within an API session, I've checked it in my browser.
 
Hello,

Thanks for the report, I've added a check to prevent a key value matching the current password.

Regarding the count, a call is a call, so if you login to CMD_LOGIN, then that counts as 1.
It's the same way for DA's brute force detection system on port 2222.
If you load the login page, it counts as 1 failed login before you've event submitted the request.

Every call to DA counts as 1 command, hence when using sessions, it uses up 2 to login, then make the CMD_DNS call.
When using the API (the original intention), no sessions are needed as the auth is sent in the httpd headers, thus it would only count as 1 call since CMD_LOGIN isn't needed.
I can see how it may seem somewhat confusing, but that's just the way it ended up.

On a side-note, another minor bug was found where using the API only allows a key value of up to 40 characters, despite the 64 character length the random button creates.
Was an easy fix, but would also cause confusion as to why it's not working.

Note that I put a full list of debug output into DA for this feature, so usually running DA in debug mode will tell you what's wrong.

I'm going to add the checkbox for running HTM files now.

John

Edit: I'll change the wording to use "commands" instead of "logins"
 
Thank you John. I'll be back here, in case I found anything else.

And sure, I'll use debugging.
 
If you have DirectAdmin up2date and an offical skin (or an updated one) you should see Login Key in every User Level if Login Keys are enabled for the selected User.

If you cant find that for a user, edit the user and enable the Login Key feature.

Regards
 
Found it, you first have to enable this at CMD_MODIFY_RESELLER for the reseller even when this is the admin reseller. Didn't think to look there in the frist place since the CMD_LOGIN_KEYS page was accessible and operational for all the users, with "Login Keys OFF", anyway. Shouldn't the CMD_LOGIN_KEYS page show a:

Unable to show the login keys

Details

It has been disabled

page for these users, just like when things like system info aren't enabled?
 
Thanks John, maybe time to fix the:

Feb 8th, 2012 - 1.40.3
** BUG Found **
If you're using the httpd-auth login method (as most APIs do), there is a limit of 40 characters for the keys.
If you key value is more than 40 characters (the random button creates 64 character values), then the login will fail.
There are fixed binarie in the pre-release section which support the full 64 character length.
Session based logins with the keys are not affected by this bug.

bug as well while you're at it? For some reason it looks like that pre-release fix never made it through to the stable branch.
 
Whatever I did should in the code.. so if it doesn't work, we'd have to check.
Which actions were you running, and what errors are you getting?

Running DA in debug mode might should more info, and also check the /var/log/directadmin/error.log.

John
 
Back
Top