Roadmap

N

nick-a

Verified User
Joined
Feb 23, 2007
Messages
49
Can I request that DA creates a sticky thread here please with a roadmap of what feature requests you've accepted or other features you are planning to add? Not expecting ETA's or anything, just what to expect in the next version or two.

Some of us are planning migrations but looking for certain features first, such as autologin is important for the shared hosting servers (different market and all that), but not so important for VPS/dedicated customers etc.
 
At the moment I can just honestly say that all the things 'missing' (as DA has a different feature set) have the highest priority :) Including auto-login to phpMyAdmin.
 
smtalk said:
At the moment I can just honestly say that all the things 'missing' (as DA has a different feature set) have the highest priority :) Including auto-login to phpMyAdmin.
Click to expand...

If you add autologin to phpMyAdmin, it is very important that it will still be possible to login manually at server.hostname.com/phpmyadmin - that is a must that it still continue to be possible. For example many customers have many databases in their account, then they login to phpMyAdmin with the same username/password as their DirectAdmin account, the benefit then is that they have access to all the databases in ONE login. Also some customer would sometimes need to provide access to third party to login to phpMyAdmin, but at the same time they don't want to give access to DirectAdmin. So it is very important to keep the option to be able to login to phpMyAdmin manually at server.hostname.com/phpmyadmin - or you could add a option in directadmin.conf to disable autogin. Thank you.

Edit: The same goes for webmail, it is a MUST that it still will be possible to login manually at server.hostname.com/roundcube - if not, you must provide a option to disable autologin for webmail in directadmin.conf - many customers give out email accounts to their customers wich should not have access to DirectAdmin, and they must be able to login manually at server.hostname.com/roundcube
 
Last edited:
ditto said:
If you add autologin to phpMyAdmin, it is very important that it will still be possible to login manually at server.hostname.com/phpmyadmin - that is a must that it still continue to be possible. For example many customers have many databases in their account, then they login to phpMyAdmin with the same username/password as their DirectAdmin account, the benefit then is that they have access to all the databases in ONE login. Also some customer would sometimes need to provide access to third party to login to phpMyAdmin, but at the same time they don't want to give access to DirectAdmin. So it is very important to keep the option to be able to login to phpMyAdmin manually at server.hostname.com/phpmyadmin - or you could add a option in directadmin.conf to disable autogin. Thank you.

Edit: The same goes for webmail, it is a MUST that it still will be possible to login manually at server.hostname.com/roundcube - if not, you must provide a option to disable autologin for webmail in directadmin.conf - many customers give out email accounts to their customers wich should not have access to DirectAdmin, and they must be able to login manually at server.hostname.com/roundcube
Click to expand...

I don't think phpMyAdmin should be accessible directly from /phpmyadmin as this can be used for third parties to gain access to the database via bruteforce, even if the remote access to the database is disable. But to provide an option that satisfies everyone, you could just add an option in the DirectAdmin Panel at Admin Level to enable/disable direct access to /phpmyadmin.
 
ditto said:
If you add autologin to phpMyAdmin, it is very important that it will still be possible to login manually at server.hostname.com/phpmyadmin - that is a must that it still continue to be possible. For example many customers have many databases in their account, then they login to phpMyAdmin with the same username/password as their DirectAdmin account, the benefit then is that they have access to all the databases in ONE login. Also some customer would sometimes need to provide access to third party to login to phpMyAdmin, but at the same time they don't want to give access to DirectAdmin. So it is very important to keep the option to be able to login to phpMyAdmin manually at server.hostname.com/phpmyadmin - or you could add a option in directadmin.conf to disable autogin. Thank you.

Edit: The same goes for webmail, it is a MUST that it still will be possible to login manually at server.hostname.com/roundcube - if not, you must provide a option to disable autologin for webmail in directadmin.conf - many customers give out email accounts to their customers wich should not have access to DirectAdmin, and they must be able to login manually at server.hostname.com/roundcube
Click to expand...

agreed. I see it as an added option as well.
 
cenourinha said:
I don't think phpMyAdmin should be accessible directly from /phpmyadmin as this can be used for third parties to gain access to the database via bruteforce, even if the remote access to the database is disable. But to provide an option that satisfies everyone, you could just add an option in the DirectAdmin Panel at Admin Level to enable/disable direct access to /phpmyadmin.
Click to expand...

Just a FYI on this that CSF blocks these attempts to /phpmyadmin, /roundcube (/webmail) automatically by default :) It's integrated into BFM too. But I totally see your point on systems without any protection.
 
cenourinha said:
I don't think phpMyAdmin should be accessible directly from /phpmyadmin as this can be used for third parties to gain access to the database via bruteforce, even if the remote access to the database is disable. But to provide an option that satisfies everyone, you could just add an option in the DirectAdmin Panel at Admin Level to enable/disable direct access to /phpmyadmin.
Click to expand...
I really do not like AUTO-LOGIN to anything TBH....... If admins need to access databases, use the da_admin login to phpmyadmin...... That's what I do....

If you are worried about security if this AUTO-LOGIN does appear, then force ALL clients to use 2FA/Keys to Directadmin......
 
Last edited:
Peter Laws said:
I really do not like AUTO-LOGIN to anything TBH....... If admins need to access databases, use the da_admin login to phpmyadmin...... That's what I do....

If you are worried about security if this AUTO-LOGIN does appear, then force ALL clients to use 2FA/Keys to Directadmin......
Click to expand...

That doesn't work when you're using something like Ezeelogin to manage a larger number of servers and have multiple staff, maintaining a long list of da_admin passwords for everyone is far from ideal.

Plus, half our shared hosting customers don't even know their own hosting account login details, let alone individual mysql users.

If it's possible for this feature to be enabled/disabled at the admin level then I really can't see what the problem is.
 
Peter Laws said:
I really do not like AUTO-LOGIN to anything TBH....... If admins need to access databases, use the da_admin login to phpmyadmin...... That's what I do....

If you are worried about security if this AUTO-LOGIN does appear, then force ALL clients to use 2FA/Keys to Directadmin......
Click to expand...

The Auto-Login doesn't change anything in terms of security. If you already have access to the DirectAdmin User Account, you can simply:

  • Add new user to the database and gain access
  • Change the password of the actual Database User and gain access
  • Lookup for the Database User password on scripts configuration files using File Manager

The 2 Factor Authentication is a great feature, but customers will never use that in the first place. We can force the option, but most of the customers will not be happy and you will end up for loosing those customers.
 
nick-a said:
Plus, half our shared hosting customers don't even know their own hosting account login details, let alone individual mysql users.
Click to expand...
Exactly, this is why password123 is one of the top passwords.....

Being serious, it's 2019, if people can't handle passwords etc, they shouldn't be on the internet.
 
I think we need to define which level we are speaking of? admin or user.

I just want to be sure I follow this.. If I am a user logged on to my DA account. Why should I have to log in again to webmail or pma? If I own the account the emails are all mine. It should just use the stored password and open. Same for PMA I own the user account.

I was reading this from Ditto
login manually at server.hostname.com/phpmyadmin
Click to expand...
Is this only for Users or Admin level? I actually don't want this at the admin level. So we may need separate options for all of this. I would not want PMA available to the general outside. I want users to have to login to DA to see PMA.

Webmail should be allowed to be both subdomain or regular dir structure.
 
Peter Laws said:
Exactly, this is why password123 is one of the top passwords.....

Being serious, it's 2019, if people can't handle passwords etc, they shouldn't be on the internet.
Click to expand...
I am down with passwords and 2fa is a option. Maybe we need an option to let the hoster choose 2fa as required or not?
 
@DirectAdmin Support and @smtalk: I must be very clear on this. You can't remove outside access to phpMyAdmin and Roundcube webmail without giving us a option to enable that (and/or disable autologin). We have customers that create email accounts and give to their clients, wich they do not give access to DirectAdmin control panel, so they need to be able to log into webmail outside of DirectAdmin. Also as said before, we also need to keep phpMyAdmin available outside of DirectAdmin. Customers and third party need to be able to login to phpMyAdmin without the need to log into DirectAdmin.

We need phpMyAdmin and Roundcube webmail to continue to be available at server.hostname.com, that is a absolute MUST. You can't just remove a feature like that and expect everyone to be happy about it. No problem if you remove it as default, as long as it will be possible to enable access to phpMyAdmin and Roundube webmail in directadmin.conf, and also be possible to disable autologin to phpMyAdmin and Roundcube webmail.
 
ditto said:
Customers and third party need to be able to login to phpMyAdmin without the need to log into DirectAdmin.
Click to expand...

Having phpMyAdmin available to third parties can represent a security risk, so i think this should be disabled by default but possible to enable for those who really want it.

I would disable this option in our installations. If someone needs to provide third party access to databases without sharing the DirectAdmin Credentials, they can just add the third party IP Address to the Access Hosts list.
 
We have customers that create email accounts and give to their clients, which they do not give access to DirectAdmin control panel, so they need to be able to log into webmail outside of DirectAdmin.
Click to expand...
Agreed No issue for me.
You can't remove outside access to phpMyAdmin and Roundcube webmail without giving us a option to enable that (and/or disable autologin)
Click to expand...
Agreed No issue for me.

I think its ok.. We just need more options.

Users inside DA autologin PMA webmail directadmin.conf 0 or 1

Admins inside DA autologin PMA webmail directadmin.conf 0 or 1

PMA on to outside directadmin.conf 0 or 1 > on by default.

Webmail off to outside directadmin.conf 0 or 1 > on by default.

Is this sounding close... we just have to keep talking and communicating..:cool:
 
so they need to be able to log into webmail outside of DirectAdmin
Click to expand...
I fully agree.

As for phpmyadmin I don't mind. I don't know or see any good argument why users should be able to access it from outside the panel. But if it can be made switchable to make everybody happy, it's oke by me too.
 
What user are people going to be "auto" logging into phpMyAdmin and Webmail with?

Webmail for non-DirectAdmin users is a most... is this seriously being talked about being removed?

But phpMyAdmin... how big of a case is this for non-DirectAdmin users? Why not just install phpMyAdmin on the publicly accessible area of the web hosting account for accounts that need this functionality? I'm really not aware of any cases where any of our users need access to phpMyAdmin outside of their control panel... but maybe that's just me... and maybe I'm forgetting someone. But if they do need it... they would have had to have installed phpMyAdmin on their own some where publicly accessible.

I suppose you could make the argument for Roundcube and webmail as well... but webmail is much more common place. There are a lot of web hosting clients that create email accounts for their friends, families, or colleagues and a lot of them access webmail on the account. Could these web hosting accounts installed Roundcube themselves on their domain name? Sure. But pretty much every web hosting account is going to have to do that, which is why I'd advocate leaving webmail accessible server-wide by default.

But I don't know if I see the case for phpMyAdmin being server-wide publicly accessible. You may be opening up a case where this benefits 1 out of every 1000 users... I'm not sure if it's worth it.

But if you want to spend the time offering this... that's fine by me. Just give us the option to disable it server-wide.
 
You must log in or register to reply here.
Back
Top