Hi Jamie,
Could you please read through the discussion on http://www.virtualmin.com/node/31096 that took place a year ago, but hasn't been addressed yet. So I would like to file an issue to request to add a new Virtualmin feature to make it possible for th users of external ticketing, billing systems, customer portals to be able to login to their respective Virtualmin accounts without entering passwords.
I am copy&pasting my own post from the above discussion page:
For example, Siteground has very nice integration of cPanel into its customer portal system. If you login to their profile management, ticketing and billing system at https://ua.siteground.com/login.htm then you will see http://virtualmin.com/files/screen1_1.jpg If you click on "Go to cPanel" button then you find yourself in cPanel without having to deal with authentication http://virtualmin.com/files/screen2_0.jpg Thus Siteground customers don't have to deal with multiple authentications, they login to a single portal where they have access to everywhere including server and website management UI as cPanel. It would be just wonderful if we could have similar functionality for Virtualmin.
When I click on "Go to cPanel" button on SiteGround portal then I automatically authenticate into cPanel and see URL like: https://securem19.sgcpanel.com:2083/cpsess6889100515/frontend/Crystal/in...
So I guess they utilize sessions for authentication, which expire when you click to Logout or in some time period. Why not to implement such a feature for Virtualmin?
Let's not fall behind of what is possible with cPanel. According to http://www.virtualmin.com/documentation/cloudmin/devel/remote it is possible for external scripts to authenticate indicating username and password in the script one-liner:
wget --http-user=root --http-passwd=smeg 'https://yourserver:10000/server-manager/remote.cgi?program=list-systems'
, but I would like to give this feature to real users, not scripts. I understand that GET would reveal passwords in RUL and thus represent a security risk, but feeding usernames and passwords in POST forms would be perfectly safe. What do you think?
Thanks for consideration!
Comments
Submitted by andreychek on Fri, 08/15/2014 - 17:49 Comment #1
Howdy -- I spoke to Jamie about this, and while Virtualmin doesn't support any sort of token system, it is possible to pass a username and password as either a GET or POST parameter.
That can be passed in to the "/session_login.cgi" program in order to authenticate.
Would that do what you're after?
Submitted by yngens on Fri, 08/15/2014 - 20:25 Comment #2
Works perfectly well! I don't know why I didn't tried before, probably wanted to get confirmed the method with you and didn't know that script's name /session_login.cgi. I think we can mark this as closed since it is possible to feed username and password to authentication page.
Thanks!
Submitted by yngens on Thu, 08/21/2014 - 05:11 Comment #3
Sorry, I have to open this again, because it turned out it the above given method works only if a user had been authenticated manually before. If a user tries to login with this method for the first time, then it gives:
Error - No cookies
Your browser does not support cookies, which are required for this web server to work in session authentication mode
even with cookies turned on. Apparently, this methods needs for a session to pre-exist.
Would be really nice to provide users automatic authentication to Virtualmin within external ticketing system. Is there any other way?
Submitted by andreychek on Thu, 08/21/2014 - 12:32 Comment #4
Ah, try adding this parameter to the file
/etc/webmin/miniserv.conf:no_testing_cookie=1And then restart Webmin with:
/etc/init.d/webmin restartSubmitted by yngens on Thu, 09/07/2017 - 19:06 Comment #5
This does not work anymore. Is it because of introduction of Authentic Theme or something else? Can you explain how exactly we can automatically login our users to their Virtualmin accounts?
Submitted by yngens on Thu, 09/07/2017 - 20:27 Comment #6
In fact, it works only if you put a direct hyperlink like, https://domain.com:10000/session_login.cgi?user=root&pass=SDskjdksd and that's not secure. However, when using post method in a simple form like below:
<form action="https://domain.com:10000/session_login.cgi" method="post">Username: <input type="text" user="user" value="root"><br>
Last name: <input type="text" pass="pass" value="SDskjdksd"><br><br>
<input type="submit" value="Submit">
</form>
unfortunately, it does not work. Jamie, could you please elaborate how we could get users authenticated to their Virtualmin account without revealing their passwords in URL?
Submitted by JamieCameron on Thu, 09/07/2017 - 23:25 Comment #7
Actually a form like that should work - what error message are you getting?
Submitted by yngens on Fri, 09/08/2017 - 18:15 Comment #8
It is really easy to run couple tests on your side to see it is not giving any errors, it is not just working with form is submitted, but it works with direct URL. And we really do not want to expose passwords through direct URLs, but at the same time would like our customers feel no less comfort than users of cPanel which can be integrated to external ticketing or billing systems like shown example of SiteGround.
Submitted by yngens on Sat, 09/09/2017 - 12:07 Comment #9
Any news on this?
Submitted by JamieCameron on Sat, 09/09/2017 - 13:00 Comment #10
Is that HTML above actually what you're using? Because it looks incorrect .. the inputs should be :
Username: <input type="text" name="user" value="root"><br>Last name: <input type="text" name="pass" value="SDskjdksd"><br><br>
Submitted by JamieCameron on Sat, 09/09/2017 - 13:01 Comment #11
BTW, I did a test with correctly named HTML inputs, and it worked.
Submitted by yngens on Sun, 09/10/2017 - 13:35 Comment #12
Jamie, thank you very much for giving the correct code. It works wonderfully!