9

One of the cPanel servers I am running has constant troubles with compromised email accounts. I believe many of the users on this server have very weak passwords. I have increased the minimum password security, but that only takes effect when passwords are changed... Is there any way to force a one-time password change for all cPanel accounts and cPanel email addresses? This way I could force all users to generate new, secure passwords.

UPDATE: I have found that each account has files at ~/etc/domain.name/{passwd,shadow} which contain Unix-style passwd and shadow files for all email accounts. However, if I edit them manually I am still able to send email :-(

If I can locate the file which exim uses to authenticate users and mangle the passwords there, that would solve my issue...

Josh
  • 9,001
  • 27
  • 78
  • 124
  • Is there no way to invalidate passwords? – jcolebrand May 04 '12 at 15:20
  • That's what I am asking @jcolebrand... – Josh May 04 '12 at 15:31
  • Are you asking about how to reset all user passwords yourself, prompting the customers to apply for a lost password, or are you asking about how to force the users to change their password upon next login? – Joe May 04 '12 at 16:01
  • Either one would do @Joe. I was thinking the former: change all email account passwords to some random string, and require the account owners to reset them within the master account admin. But as long as I can somehow force all users to make their passwords secure, I am happy. – Josh May 04 '12 at 16:22
  • This question appears to be off-topic because it is about [`working with a service provider's management interface, such as cPanel`](http://serverfault.com/help/on-topic). – HopelessN00b Jan 13 '15 at 23:46

2 Answers2

2

Can you use the Security Policies to force a 'change date' of tomorrow? I'm thinking if you set a Password Age of 1 day, it will force them all to expire this time tomorrow. Once they're all expired, you can remove the limitation.

JohnThePro
  • 2,595
  • 14
  • 23
  • Unfortunately this is for *the cPanel account* and not for the email accounts within each cPanel account... :-( – Josh May 04 '12 at 17:13
  • I apologize, I didn't understand this was a tiered deployment. Hold please. – JohnThePro May 04 '12 at 17:14
  • Done and done. :) – JohnThePro May 04 '12 at 17:22
  • Thanks. I was thinking of trying this, but I was unsure if it would work. Also, doesn't it mean that everyone will have to reset their passwords on the same day? I may just have to use a 30 day limit... – Josh May 04 '12 at 17:58
  • Yes, everyone will have to do it on the same day. Isn't that what you were going for? Instantaneous? – JohnThePro May 04 '12 at 20:15
  • What I was going for was to invalidate everyone's passwords *now*, but allow them to change them over the course of several days. My thinking is, if I set it to 1 day, then after that day I have to increase it otherwise the people who did change their passwords will have to change them again. Which means anyone who doesn't change their password escapes the new requirement... I need to test this option I suppose and see how it actually works. – Josh May 04 '12 at 20:52
1

As of cPanel 11.34.1.4 (CURRENT release at the time of writing), this is now a standard feature under Account Functions »Force Password Change.

Josh
  • 9,001
  • 27
  • 78
  • 124