Roadmap

nick-a

Verified User
Joined
Feb 23, 2007
Messages
44
Can I request that DA creates a sticky thread here please with a roadmap of what feature requests you've accepted or other features you are planning to add? Not expecting ETA's or anything, just what to expect in the next version or two.

Some of us are planning migrations but looking for certain features first, such as autologin is important for the shared hosting servers (different market and all that), but not so important for VPS/dedicated customers etc.
 

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
8,347
Location
LT, EU
At the moment I can just honestly say that all the things 'missing' (as DA has a different feature set) have the highest priority :) Including auto-login to phpMyAdmin.
 

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,469
At the moment I can just honestly say that all the things 'missing' (as DA has a different feature set) have the highest priority :) Including auto-login to phpMyAdmin.
If you add autologin to phpMyAdmin, it is very important that it will still be possible to login manually at server.hostname.com/phpmyadmin - that is a must that it still continue to be possible. For example many customers have many databases in their account, then they login to phpMyAdmin with the same username/password as their DirectAdmin account, the benefit then is that they have access to all the databases in ONE login. Also some customer would sometimes need to provide access to third party to login to phpMyAdmin, but at the same time they don't want to give access to DirectAdmin. So it is very important to keep the option to be able to login to phpMyAdmin manually at server.hostname.com/phpmyadmin - or you could add a option in directadmin.conf to disable autogin. Thank you.

Edit: The same goes for webmail, it is a MUST that it still will be possible to login manually at server.hostname.com/roundcube - if not, you must provide a option to disable autologin for webmail in directadmin.conf - many customers give out email accounts to their customers wich should not have access to DirectAdmin, and they must be able to login manually at server.hostname.com/roundcube
 
Last edited:

cenourinha

Verified User
Joined
Jun 27, 2019
Messages
27
If you add autologin to phpMyAdmin, it is very important that it will still be possible to login manually at server.hostname.com/phpmyadmin - that is a must that it still continue to be possible. For example many customers have many databases in their account, then they login to phpMyAdmin with the same username/password as their DirectAdmin account, the benefit then is that they have access to all the databases in ONE login. Also some customer would sometimes need to provide access to third party to login to phpMyAdmin, but at the same time they don't want to give access to DirectAdmin. So it is very important to keep the option to be able to login to phpMyAdmin manually at server.hostname.com/phpmyadmin - or you could add a option in directadmin.conf to disable autogin. Thank you.

Edit: The same goes for webmail, it is a MUST that it still will be possible to login manually at server.hostname.com/roundcube - if not, you must provide a option to disable autologin for webmail in directadmin.conf - many customers give out email accounts to their customers wich should not have access to DirectAdmin, and they must be able to login manually at server.hostname.com/roundcube
I don't think phpMyAdmin should be accessible directly from /phpmyadmin as this can be used for third parties to gain access to the database via bruteforce, even if the remote access to the database is disable. But to provide an option that satisfies everyone, you could just add an option in the DirectAdmin Panel at Admin Level to enable/disable direct access to /phpmyadmin.
 

bdacus01

Verified User
Joined
Jul 22, 2017
Messages
581
Location
Murfreesboro
If you add autologin to phpMyAdmin, it is very important that it will still be possible to login manually at server.hostname.com/phpmyadmin - that is a must that it still continue to be possible. For example many customers have many databases in their account, then they login to phpMyAdmin with the same username/password as their DirectAdmin account, the benefit then is that they have access to all the databases in ONE login. Also some customer would sometimes need to provide access to third party to login to phpMyAdmin, but at the same time they don't want to give access to DirectAdmin. So it is very important to keep the option to be able to login to phpMyAdmin manually at server.hostname.com/phpmyadmin - or you could add a option in directadmin.conf to disable autogin. Thank you.

Edit: The same goes for webmail, it is a MUST that it still will be possible to login manually at server.hostname.com/roundcube - if not, you must provide a option to disable autologin for webmail in directadmin.conf - many customers give out email accounts to their customers wich should not have access to DirectAdmin, and they must be able to login manually at server.hostname.com/roundcube
agreed. I see it as an added option as well.
 

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
8,347
Location
LT, EU
I don't think phpMyAdmin should be accessible directly from /phpmyadmin as this can be used for third parties to gain access to the database via bruteforce, even if the remote access to the database is disable. But to provide an option that satisfies everyone, you could just add an option in the DirectAdmin Panel at Admin Level to enable/disable direct access to /phpmyadmin.
Just a FYI on this that CSF blocks these attempts to /phpmyadmin, /roundcube (/webmail) automatically by default :) It's integrated into BFM too. But I totally see your point on systems without any protection.
 

Peter Laws

Verified User
Joined
Sep 13, 2008
Messages
1,747
Location
London UK
I don't think phpMyAdmin should be accessible directly from /phpmyadmin as this can be used for third parties to gain access to the database via bruteforce, even if the remote access to the database is disable. But to provide an option that satisfies everyone, you could just add an option in the DirectAdmin Panel at Admin Level to enable/disable direct access to /phpmyadmin.
I really do not like AUTO-LOGIN to anything TBH....... If admins need to access databases, use the da_admin login to phpmyadmin...... That's what I do....

If you are worried about security if this AUTO-LOGIN does appear, then force ALL clients to use 2FA/Keys to Directadmin......
 
Last edited:

nick-a

Verified User
Joined
Feb 23, 2007
Messages
44
I really do not like AUTO-LOGIN to anything TBH....... If admins need to access databases, use the da_admin login to phpmyadmin...... That's what I do....

If you are worried about security if this AUTO-LOGIN does appear, then force ALL clients to use 2FA/Keys to Directadmin......
That doesn't work when you're using something like Ezeelogin to manage a larger number of servers and have multiple staff, maintaining a long list of da_admin passwords for everyone is far from ideal.

Plus, half our shared hosting customers don't even know their own hosting account login details, let alone individual mysql users.

If it's possible for this feature to be enabled/disabled at the admin level then I really can't see what the problem is.
 

cenourinha

Verified User
Joined
Jun 27, 2019
Messages
27
I really do not like AUTO-LOGIN to anything TBH....... If admins need to access databases, use the da_admin login to phpmyadmin...... That's what I do....

If you are worried about security if this AUTO-LOGIN does appear, then force ALL clients to use 2FA/Keys to Directadmin......
The Auto-Login doesn't change anything in terms of security. If you already have access to the DirectAdmin User Account, you can simply:

  • Add new user to the database and gain access
  • Change the password of the actual Database User and gain access
  • Lookup for the Database User password on scripts configuration files using File Manager

The 2 Factor Authentication is a great feature, but customers will never use that in the first place. We can force the option, but most of the customers will not be happy and you will end up for loosing those customers.
 

Peter Laws

Verified User
Joined
Sep 13, 2008
Messages
1,747
Location
London UK
Plus, half our shared hosting customers don't even know their own hosting account login details, let alone individual mysql users.
Exactly, this is why password123 is one of the top passwords.....

Being serious, it's 2019, if people can't handle passwords etc, they shouldn't be on the internet.
 

bdacus01

Verified User
Joined
Jul 22, 2017
Messages
581
Location
Murfreesboro
I think we need to define which level we are speaking of? admin or user.

I just want to be sure I follow this.. If I am a user logged on to my DA account. Why should I have to log in again to webmail or pma? If I own the account the emails are all mine. It should just use the stored password and open. Same for PMA I own the user account.

I was reading this from Ditto
login manually at server.hostname.com/phpmyadmin
Is this only for Users or Admin level? I actually don't want this at the admin level. So we may need separate options for all of this. I would not want PMA available to the general outside. I want users to have to login to DA to see PMA.

Webmail should be allowed to be both subdomain or regular dir structure.
 

bdacus01

Verified User
Joined
Jul 22, 2017
Messages
581
Location
Murfreesboro
Exactly, this is why password123 is one of the top passwords.....

Being serious, it's 2019, if people can't handle passwords etc, they shouldn't be on the internet.
I am down with passwords and 2fa is a option. Maybe we need an option to let the hoster choose 2fa as required or not?
 

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,469
@DirectAdmin Support and @smtalk: I must be very clear on this. You can't remove outside access to phpMyAdmin and Roundcube webmail without giving us a option to enable that (and/or disable autologin). We have customers that create email accounts and give to their clients, wich they do not give access to DirectAdmin control panel, so they need to be able to log into webmail outside of DirectAdmin. Also as said before, we also need to keep phpMyAdmin available outside of DirectAdmin. Customers and third party need to be able to login to phpMyAdmin without the need to log into DirectAdmin.

We need phpMyAdmin and Roundcube webmail to continue to be available at server.hostname.com, that is a absolute MUST. You can't just remove a feature like that and expect everyone to be happy about it. No problem if you remove it as default, as long as it will be possible to enable access to phpMyAdmin and Roundube webmail in directadmin.conf, and also be possible to disable autologin to phpMyAdmin and Roundcube webmail.
 

cenourinha

Verified User
Joined
Jun 27, 2019
Messages
27
Customers and third party need to be able to login to phpMyAdmin without the need to log into DirectAdmin.
Having phpMyAdmin available to third parties can represent a security risk, so i think this should be disabled by default but possible to enable for those who really want it.

I would disable this option in our installations. If someone needs to provide third party access to databases without sharing the DirectAdmin Credentials, they can just add the third party IP Address to the Access Hosts list.
 

bdacus01

Verified User
Joined
Jul 22, 2017
Messages
581
Location
Murfreesboro
We have customers that create email accounts and give to their clients, which they do not give access to DirectAdmin control panel, so they need to be able to log into webmail outside of DirectAdmin.
Agreed No issue for me.
You can't remove outside access to phpMyAdmin and Roundcube webmail without giving us a option to enable that (and/or disable autologin)
Agreed No issue for me.

I think its ok.. We just need more options.

Users inside DA autologin PMA webmail directadmin.conf 0 or 1

Admins inside DA autologin PMA webmail directadmin.conf 0 or 1

PMA on to outside directadmin.conf 0 or 1 > on by default.

Webmail off to outside directadmin.conf 0 or 1 > on by default.

Is this sounding close... we just have to keep talking and communicating..:cool:
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,221
Location
Maastricht
so they need to be able to log into webmail outside of DirectAdmin
I fully agree.

As for phpmyadmin I don't mind. I don't know or see any good argument why users should be able to access it from outside the panel. But if it can be made switchable to make everybody happy, it's oke by me too.
 

sparek

Verified User
Joined
Jun 27, 2019
Messages
119
What user are people going to be "auto" logging into phpMyAdmin and Webmail with?

Webmail for non-DirectAdmin users is a most... is this seriously being talked about being removed?

But phpMyAdmin... how big of a case is this for non-DirectAdmin users? Why not just install phpMyAdmin on the publicly accessible area of the web hosting account for accounts that need this functionality? I'm really not aware of any cases where any of our users need access to phpMyAdmin outside of their control panel... but maybe that's just me... and maybe I'm forgetting someone. But if they do need it... they would have had to have installed phpMyAdmin on their own some where publicly accessible.

I suppose you could make the argument for Roundcube and webmail as well... but webmail is much more common place. There are a lot of web hosting clients that create email accounts for their friends, families, or colleagues and a lot of them access webmail on the account. Could these web hosting accounts installed Roundcube themselves on their domain name? Sure. But pretty much every web hosting account is going to have to do that, which is why I'd advocate leaving webmail accessible server-wide by default.

But I don't know if I see the case for phpMyAdmin being server-wide publicly accessible. You may be opening up a case where this benefits 1 out of every 1000 users... I'm not sure if it's worth it.

But if you want to spend the time offering this... that's fine by me. Just give us the option to disable it server-wide.
 
Top