• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Decode the passwords is psa database table smb_users to use central login script

T

TheEniGMa

New Pleskian
We got a custom central login script in PHP that connects to several PLESK servers to check if the user has entered correct username and password and, if they have, redirect the user and automaticly logs in the user to the correct server where the customers domain account is located. Simplified, it does a "SELECT * from table where user='username' AND password='pass'" on each PLESK server we got and if a match is recived we know that the username/password is correct and what server it is located on.

In PLESK 8.6 this was pretty easy since passwords were stoed in the MySQL database in plain text, but in PLESK 10 it seems to be encrypted.

I have located the psa database table smb_users and the fields login and password, but the password is encrpted so I can not simple run

select * from smb_users where login='username' and password='12345';

I tried MD5 and SHA1 like below with no luck:

select * from smb_users where login='username' and password=MD5('12345');
select * from smb_users where login='username' and password=SHA1('12345');

So, the passwords are encrypted but I do not know in what way.

Question is, how do I run a SQL command on a PLESK 10 server to check for a username/password combination?
 
I filed a support ticket to Parallels about this and got a reply saying that it is simply not possible as thay are using a hard-coded algorithm.

Does anyone have any idéas on a different solution to this problem?
 
Its not really a solution but we have a similar page that simply asks for the domain they want to manage, we can then redirect that to the https://domain:8443 page and assuming the domain is live you're at the right server (I presume you mainly want to get them to the right server rather than control the method they login by).
 
Thanks Paul.

We actually had it set up just like that before but it gives ugly SSL certificate errors when https://domain:8443 is used instead of https://server.with.real.certificate:8443. And as you say, it only works for active correly pointed domain names and new customers who moves thier domains to us would have to use the servers login page.

Another solution would be to only check for the login and redirect the user, buth since PLESK 10 offers users to create "sub-users" of thir own, we can guess that we will see common user names like "john" and "andreas" on several PLESK servers and the login script will then find several servers where the login is found... Matching both user/pass would get a more unique match for only the one correct server.

Third solution is to write a PHP script that actually does a login using CURL of the redirect URL and checks if the panel home page is loading. If so, send another curl to log out the user and finally redirect the user to the PLESK servers using GET... Not very pretty and would be slow if there are plenty of servers to check.

The best approch would to check mySQL table smb_users for user/pass, fast and reliable for a uniqe match but no longer possible with encruåted passwords... =(
 
You must log in or register to reply here.

Similar threads

K
Resolved How to create a database user with a known password hash
Replies
6
Views
3K
Kaspar
K
M
Issue Plesk Update 18.0.34 to 18.0.57 Database 'psa' not found
Replies
10
Views
825
musa.sc
M
Endre
Issue Unable to access the remote backup storage using SFTP
Replies
6
Views
1K
Endre
Endre
O
Question UTF-8 compliance of Plesk interface
Replies
4
Views
966
oana.bota
O
O
Forwarded to devs Plesk account creation using UTF-8 credentials fails
Replies
1
Views
831
IgorG
IgorG
Back
Top