Upcoming Features: Security Questions (SKINS)

DirectAdmin Support

Administrator
Staff member
Joined
Feb 27, 2003
Messages
9,158
Hello,

Here's a sneak peek at an upcoming feature called "Security Questions" (fairly self explanatory):
http://www.directadmin.com/features.php?id=1439


Accessed via:
Password Icon -> Manage Security Questions

It will allow any User to select multiple questions from a list, or create their own quesitons, and provide an easy-to-remember value answer to these question.
Upon logging into DirectAdmin, the User will be randomly asked one of their selected questions, and a valid answer must be provided.
Optionally, each incorrect answer will notify that User (can be disabled by the User).
A new, randomly chosen question is displayed if a wrong answer is given.
The client will be given 5 attempts to enter a correct value, after which their session will be deleted, and the User and all Admins will be notified.
Optionally be added to the ip_blacklist, and the Admin can also set if they'd like to give the client a warning about being added to the blacklist, before the last attempt is given (else, after 5, they'll not be able to connect any longer)

Answers are Case-Sensitive!! (as they're crypt() encoded)

Another side-feature is the ability to shut-off the API for the account (when logging in directly with the user/pass), as an API call cannot use the Security Questions feature (easily), so they'd bypass the feature.
However, Login Keys and Session Keys will always be allowed to use bypass the Security Questions.
1) If you have 0 Login Keys, you've got nothing to worry about.. and if you do, you can restrict who/what/where/howmanytimes, it can login, etc.. so no issue there.
2) Session Keys are for plugins to connect to the API using an already existing session (already passed the Security Question check), and they're only allowed from 127.0.0.1, so that's also fine.


This feature is already finished, and you're welcome to try it now by downloading the pre-release binaries:
http://help.directadmin.com/item.php?id=408

However, like all fresh new features, they may be bugs as testing on this new feature has only been limited (but so far, so good)


SKINS:
It's recommended that anyone using a Custom Skin (not the included enhanced, default, or power_user) update their skin to a version that supports these changes (Can even be done and released before skin clients have the new version of DA)
If you don't... you'd run the risk of enabling the feature with a DA skin, changing skins to a non-supported version.. and when you login, ending up looking at a 404 page (which would be the form to submit the answer).
So skin designers, I'd recommend these new pages be added sooner than later.

John
 
Hello,

Yes, the questions are asked after a valid login is completed.
The "question" page is part of the skin itself, so they will see the images, skins, etc.. but can't get any further until a valid answer is provided.

John
 
Parentheses

Found a very very small bug (or feature) in CMD_SECURITY_QUESTIONS. When you create a custom question with parentheses, you get this error:
Error setting Security Question

Details

Invalid characters in security question
while a couple of the default questions are allowed to have parentheses, for example:

"What is your oldest sibling’s birthday month and year? (e.g: January 1970)"
 
The ( and ) characters should be fine. I've added them to the list of allowed characters for Security Questions, for the next release.

John
 
Thanks! While you're at it; would it be possible to add a field with known ip's for which these security questions are skipped? This way you wouldn't have to answer the security question every time when you're in a known location.
 
In the current version of Directadmin (1.61.5) - not pre-release, is this Security Question option disabled by default in a new installation?

But I read here it's internally enabled by default: https://www.directadmin.com/features.php?id=1439

Also I have this in directadmin.conf -> security_questions=1 -> restart directadmin but still got this orange popup (in the screenshot).

Have no idea why this message is popped up and couldn't find any other related settings to enable this. I searched about this error doesn't seems to return much details what is going on here.

Step to reproduce:
1) Login as admin -> Password - > Manage Security Questions
2) The orange notification appear (and DA redirect back to dashboard) with the following error:

"Feature Disabled

This feature has been disabled. Please, contact your administrator"

Strange enough that I'm already the administrator of this account.

NEW THING:

Found this https://forum.directadmin.com/threads/this-feature-has-ben-disabled-unable-to-read-completely.58770/

Maybe I have to wait for the update.
 

Attachments

  • manage_security_questions.PNG
    manage_security_questions.PNG
    6.8 KB · Views: 17
Last edited:
Do you have it enabled in user/reseller package?

This is a new installation, and there is no package created. It's just an admin account alone. In this admin account I also tested by switching between User & Reseller Access Level to see if I can create that security question but unfortunately both access level have the same error message when I click on it.

Also, even if I created a new package (TESTPACKAGE, I ticked everything), added a new reseller account, then this reseller account also has the same error. Then using this reseller account and I created a user account after that login using this user account also has the same error.

Let me test the pre-release build.
 
This is a new installation, and there is no package created. It's just an admin account alone. In this admin account I also tested by switching between User & Reseller Access Level to see if I can create that security question but unfortunately both access level have the same error message when I click on it.

Also, even if I created a new package (TESTPACKAGE, I ticked everything), added a new reseller account, then this reseller account also has the same error. Then using this reseller account and I created a user account after that login using this user account also has the same error.

Let me test the pre-release build.
If admin has no privilege, none of its created resellers/users will. Try modifying admin reseller from show all users list and see if it has it enabled.
 
Just to let you know with the pre-release build, I don't have this issue anymore.

Just now I have finished reinstall DA ( using stable release) then -> click on Manage Security Options -> Error appear,

So I updated DA using pre-release and the error is gone! (finally the Manage Security Question page appear) I guess I have to wait for the next update. Also, I have made a server snapshot for the original problem so, I can revert back to old backup. I'm now on the original problem and I will wait for the pre release to migrate into stable release. This is the pre-release version that fixed the issue:

Code:
[+] Directadmin beta version installed
Version: DirectAdmin v.1.61.5
Compiled on 'Debian 10.0 64-bit'
Compile time: Jan  1 2021 at 19:18:24
Timestamp: '1609553860'
Compiled with IPv6
Static binary: yes
commit sha: d4bd018d
gettext support: yes
gettext path: /usr/local/directadmin/data/lang
 
Last edited:
I tested this and the feature works in pre-release binary. I just found a tiny design issue: Question marks are escaped, thus e. g. the question

'How are you?' is displayed as
'How are you?'

in the list of stored questions.
 
I tested this and the feature works in pre-release binary. I just found a tiny design issue: Question marks are escaped, thus e. g. the question

'How are you?' is displayed as
'How are you?'

in the list of stored questions.
It should be fine in pre-release now. Thank you for the report.
 
What else is more important than security nowadays?

My idea is that I see Security Center in DA not just third party plugins.
I see it as a security center where is an actual panel where you can see overview of current threats and every kind of attacks. Plus there should be virus / malware scanners, wordpress scanners and stuff all together, whether the attacks occur you can see how they occur and also see what needs to be harden in security.

Admin/Reseller/User, each one should have its own overview and settings.

Let's to it simple for all of us, so DA feel safe & inviting for all, old and new users.


Regards.

Vote here: Security Center - Feature requests - DirectAdmin Feedback
 
Last edited:
In the current version of Directadmin (1.61.5) - not pre-release, is this Security Question option disabled by default in a new installation?

But I read here it's internally enabled by default: https://www.directadmin.com/features.php?id=1439

Also I have this in directadmin.conf -> security_questions=1 -> restart directadmin but still got this orange popup (in the screenshot).

Have no idea why this message is popped up and couldn't find any other related settings to enable this. I searched about this error doesn't seems to return much details what is going on here.

Step to reproduce:
1) Login as admin -> Password - > Manage Security Questions
2) The orange notification appear (and DA redirect back to dashboard) with the following error:

"Feature Disabled

This feature has been disabled. Please, contact your administrator"

Strange enough that I'm already the administrator of this account.

NEW THING:

Found this https://forum.directadmin.com/threads/this-feature-has-ben-disabled-unable-to-read-completely.58770/

Maybe I have to wait for the update.
I am also having the same error.
 
Have you ever upgraded? I have followed the instructions, but I am still on the latest version in the end.

Currently the stable version v1.61.5 has the problem but the pre-release version v1.61.5 (same version number) has no problem. When you upgrade to pre-release version, you look at the compile date not the version number.

So when you run this:

Code:
cd /usr/local/directadmin
./directadmin o


You can look at the compile time (this is the stable release compile time)

Code:
Compiled on 'Debian 10.0 64-bit'
Compile time: Sep 29 2020 at 15:07:33
Timestamp: '1601413607'
Compiled with IPv6
Static binary: yes
commit sha: 207ef07b
gettext support: yes
gettext path: /usr/local/directadmin/data/lang


Where the one that fixed this problem has the pre-release code compiled on:

Code:
Compile time: Jan  1 2021 at 19:18:24
 
Currently the stable version v1.61.5 has the problem but the pre-release version v1.61.5 (same version number) has no problem. When you upgrade to pre-release version, you look at the compile date not the version number.
Wao... I can now use the "Security Questions" feature. Thank you very much. Sorry for my bad English.
 
Back
Top