admin account password and ISPConfig 3.2.2

Discussion in 'Installation/Configuration' started by Jonathan Crooke, Jan 20, 2021.

  1. Jonathan Crooke

    Jonathan Crooke New Member

    Hi everyone,
    First of all, thanks very much for the excellent product. I've been using it for many years as a home user, and it really is a great thing you've made here. So thanks for that!
    I've set up a public Docker project for ISPConfig. That's what I'm using at home, and it may have other users... Anyway, usually updating to the latest version is no big deal, but I hit a problem after the security updates in 3.2.2.
    • The repo has some basic smoke tests; one verifies that the admin account can log in after installation
      • With 3.2.2 this test fails; the admin account password is incorrect (installation sets it to "xxx" in the database)
    • I notice that 3.2.2 had a number of security-related fixes, most notably related to the admin account
    • Digging through the code, I see that the admin account password is set to "xxx" during installation, and this is what I see in the database after the automated test installation. This seems to be a placeholder, since there are references to changing the account security after first login
    • I can manually set the password in the database and everything works, but seems something is not happening that sets the password to the properly encrypted (non-md5?) version
    So I haven't quite been able to work out how this should work. It seems like new installations now need an explicit reset password to get it working? It doesn't seem to be too clear how this should work. I'd just like to update my project in the right way so that things continue working going forward.

    Hope someone can help!

    Thanks in advance
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    The xxx value in the database is just a place holder to prevent login without a password being set, there is no default password like 'admin' anymore for security reasons, the real password then gets set by the ISPConfig install.php script during installation to the value that you enter during install (or that you have set using autoinstall ini, in case of an automated installation). You've probably not run install.php on your system if it does not gets replaced.
     
  3. Jonathan Crooke

    Jonathan Crooke New Member

    Hi,
    Thanks very much for your response.
    That's interesting, and a little confusing. My Dockerfile otherwise runs install.php using an autoinstall.ini. I can't post the link(s) yet due to being new on the form. Perhaps I can add them after this post.
    Of course there could quite easily be something wrong with my implementation, but it has been working quite well for a few years. Confusing then that after install I'd be left with "xxx" as the password in the database...?
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    You might want to have a look at the code of the official ISPConfig auto-installer, which uses autoninstall mode for the install.php script as well to install ISPConfig after having installed all prerequisites.
     
  5. Jonathan Crooke

    Jonathan Crooke New Member

    I realised that the issue probably is that I have the admin password set to "admin" in my install script. Looking at the code, it would seem the newly encrypted password is only applied if the password is not "admin". This makes sense if it's a security fix. So. trying out changing that...
     
  6. Jonathan Crooke

    Jonathan Crooke New Member

    till likes this.

Share This Page