Universal Password Trap

As a cPanel account password can be changed in a number of places, including both cPanel and WHM, we've created a universal hook that fires anytime an account password is changed.

Creating the Module

In order to capture password output from any function that changes a password, you'll need to create a module located in /usr/local/cpanel/Cpanel/ChangePasswd/. This module will be run as root whenever a password is changed in WHM, cPanel, APIs, etc.

In this example, we're going to be sending this password back to our custom billing system so that we can have a record of the user's password in case they forget it. Therefore, we're going to create /usr/local/cpanel/Cpanel/ChangePasswd/SendtoBilling.pm.

Module Internals

The internals of the module are pretty simple, in fact, there are only a few variables that can be accessed:

• user (string) — User name of the account. Example: user.
• newpass (string) — New account password. Example: p@ssw0rd!12345.
• message (string)* — Status message about the password change. Example: password changed successfully.
• rawout (string)* — Raw output from the password change. Example: Changing system password for user x.
• service_ref (string)* — Service changing the password. Example: WHM.

Note: Variables marked with * are only available when the root user is changing the account password.

In order to access those variables, we'll have our module dump them into a hash:

#!/usr/bin/perl
package Cpanel::ChangePasswd::Sendtobilling;
use strict;
my %OPTS = @_;
my $user = $OPTS{'user'};
my $newpass = $OPTS{'newpass'};
# Here you can add functions to create objects, send the password 
# to a remote location, etc. 

After accessing the variables, you can send the username, password and any other variables to a local or remote location, store them in a database, etc.

Important: Please be sure to only send them remotely using SSL and only store them encrypted, as sending out or storing password information in plain text is a huge security risk.