Restrict passhash from being used for web login?

Modified on 2025-06-10 14:55:51 +0200

I plan to use API calls to pause a sensor when a machine reboots to apply updates. However, I discovered the passhash can be used to access the WebUI, eg: "https://example.com/?username=apiuser&passhash=1234567890".

This is a problem. I can't hide the hash from local admins on those servers, but I don't want them to be able to gain access to the WebUI. I found some posts on this board that indicate the hash should not work for the web interface. Is this a bug?

https://helpdesk.paessler.com/en/support/solutions/articles/77509-using-http-api-without-putting-credentials-in-the-path

https://helpdesk.paessler.com/en/support/solutions/articles/89434-login-interactively-to-portal-via-passhash

Thanks

Article Comments

Hello,

Thank you for your message.

As mentioned in the second KB article, call based authentication is possible (with passhash) and I'm afraid that there is no option to disable it.

Therefore, I invite you to open a feature request for it by following our guideline here: https://helpdesk.paessler.com/en/support/solutions/articles/76000063572-how-can-i-propose-new-features-or-sensors-for-prtg

If you have questions, let us know.

Regards.

Aug, 2021 - Permalink

Disclaimer:
The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.

Restrict passhash from being used for web login?

Article Comments

Search

Attention

Related Articles