Simply viewing the web user&email tab resets the user's password!!!

Discussion in 'General' started by heftigrat, Jan 12, 2006.

  1. heftigrat

    heftigrat New Member

    Um, problem? Indubitably!!! I'm sorry for the red mad face, but that seems like a pretty big bug. Any thoughts till or falko?

    I should elaborate. Clicking ON the user&email tab doesn't reset the pw, but clicking OFF the tab does. So if you click on user&email at all, the password will inevitably reset as soon as you view something else. Argh! I'm at a loss as to how I can avoid this, otherwise I'll have to keep a password protected database for all users so if I have to modify or view them I can make sure I retype the password. Frustrating. HELP!
    Last edited: Jan 12, 2006
  2. falko

    falko Super Moderator Howtoforge Staff

  3. heftigrat

    heftigrat New Member

    mmmm, perhaps there is something wrong with my system, but i doubt it. i clicked on "User & Email", then on "Advanced Settings", and I try to log into Uebimiau and I get this message:

    Login error  	
    You cannot login with the username and password entered.
    Please check your username and password and try again.
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    I dont think the behaviouryou described is a general bug, otherwise we would have heard about that before. Lets try to track it down.

    1) Create a user and verify that you can login with UebiMiau.
    2) Have a look at /etc/passwd and /etc/shadow and note the lines for this user.
    3) Go in the ISPConfig interface and change the tabs as you described.

    a) whats get written newly to the ispconfig logfile:


    b) Dies /etc/passwd and /etc/shadow gets changed. Is the password emptied in /etc/shadow ?
  5. heftigrat

    heftigrat New Member

    Right there with ya. Let's do this thing. Ready? Go! ...

    Done, user is "domain.dom-test".
    domain.dom-test:x:10005:10003:Test Email:/var/www/web3/user/domain.dom-test:/bin/false
    /etc/shadow (edited for my comfort):
    Done, only this time I even pressed "Cancel" with the same result! Can't log into webby-meow! (how do you pronounce it, btw? a little off topic but what the hey.)

    # cat /home/admispconfig/ispconfig/ispconfig.log | tail
    13.01.2006 - 09:05:55 => INFO - /root/ispconfig/scripts/lib/config.lib.php, Line 695: setquota -u domain.dom-test 0 0 0 0 -a &> /dev/null
    13.01.2006 - 09:05:55 => INFO - /root/ispconfig/scripts/lib/classes/ispconfig_procmail.lib.php, Line 57: cp -f /root/ispconfig/isp/conf/forward.master /var/www/web3/user/domain.dom-test/.forward
    13.01.2006 - 09:05:55 => INFO - maildirmake /var/www/web3/user/domain.dom-test/Maildir &> /dev/null, Line 106: maildirmake /var/www/web3/user/domain.dom-test/Maildir &> /dev/null
    13.01.2006 - 09:05:55 => INFO - /root/ispconfig/scripts/lib/classes/ispconfig_postfix.lib.php, Line 136: cp -fr /etc/postfix/local-host-names /etc/postfix/local-host-names~
    13.01.2006 - 09:05:55 => INFO - /root/ispconfig/scripts/lib/classes/ispconfig_postfix.lib.php, Line 283: cp -fr /etc/postfix/virtusertable /etc/postfix/virtusertable~
    13.01.2006 - 09:05:55 => INFO - /root/ispconfig/scripts/lib/classes/ispconfig_postfix.lib.php, Line 288: postmap hash:/etc/postfix/virtusertable
    13.01.2006 - 09:05:55 => INFO - /root/ispconfig/scripts/lib/config.lib.php, Line 1191: cp -fr /etc/apache2/vhosts/Vhosts_ispconfig.conf /etc/apache2/vhosts/Vhosts_ispconfig.conf~
    13.01.2006 - 09:05:55 => INFO - /root/ispconfig/scripts/lib/classes/ispconfig_system.lib.php, Line 696: /etc/init.d/postfix stop &> /dev/null
    13.01.2006 - 09:05:56 => INFO - /root/ispconfig/scripts/lib/classes/ispconfig_system.lib.php, Line 696: /etc/init.d/postfix start &> /dev/null
    13.01.2006 - 09:05:56 => INFO - /root/ispconfig/scripts/lib/config.lib.php, Line 1825: cp -fr /etc/proftpd_ispconfig.conf /etc/proftpd_ispconfig.conf~
    Looks like all account creation stuff to me.

    Nope, still there.

    Does this have anything to do with me using certain characters such as pound (#) or bang (!) for example? Never had a problem using certain chars in Linux pw's before. Is that it though?
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    If /etc/passwd and /etc/shadow does not get changed, the account must be still valid... Have you tried to login with a "normal" not webbased pop3 client.

    Please try passwords without special charachters, did you get the same behaviour?
  7. heftigrat

    heftigrat New Member

    Well now that's a strange thing. Here's what happened:
    1. Didn't change anything since unable to login via webmail, WAS able to log in via POP3 (T-Bird).
    2. Sent an email to that account, dl-ed w/T-Bird no prob, then WAS able to log in via webmail!
    3. Did the "click on / click off" thing, then could NOT log in either via webmail or T-Bird!!!
    4. Sent myself another email thinking perhaps that was what fixed webmail earlier - no effect.

    OK, that worked fine. Must be the strange characters. That does concern me though, as Linux is cool with special characters and I have always liked to keep my pw's a little cryptic in and of themselves, just to avoid brute-force attacks and lucky guesses. :p Is there any way this can be added to ISPC v3? Would this be worthwhile to submit as a bug or a feature request? Thanks for all your help!
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    ISPConfig does not care about the characters used in passwords. The problems I've encountered sometimes where that the crypt function in linux seem to result in another hash then the crypt function in PHP.
  9. heftigrat

    heftigrat New Member

    Well ain't that a b!tch. Why should that affect standard POP3 connections though? It shouldn't rewrite the encrypted pw to /etc/shadow, right?
  10. heftigrat

    heftigrat New Member

    OK, new development:

    I just tried again with a different test account. I did the "click on / click off" thing, checked "/etc/shadow", and verified the encrypted pw was still OK. Then I tried loggin in via Uebimiau, got the error, checked "/etc/shadow" and the pw was reset to "*"!!! Weird.

    Then I tried just doing a "passwd <user>" in bash and got a completely different crypt pw in shadow. THIS FIXED THE ISSUE! The pw no longer gets reset to "*" when I do the click on/off thing and then check webmail. My friends, I appreciate all your help, but as a developer I would most definitely consider this a bug. Is there any way to force ISPC to use the Linux pw hashing algorithm instead of PHP's? Thanks.

    EDIT: The "bug" as I call it seems to be very specific and is not caused only by ISPC or only by Uebimiau, but a combination of actions between the two. Specifically, I have to click on/off in ISPC AND THEN attempt to log into the account via Uebimiau.
    Last edited: Jan 13, 2006
  11. falko

    falko Super Moderator Howtoforge Staff

    I think the problem might be that you use usernames with dots and hyphens (e.g. domain.dom-test). Linux doesn't like that...
  12. heftigrat

    heftigrat New Member

    That's news to me. If that's true, why would ISPC allow me to set the prefix as "[DOMAIN]"? That would definitely have a dot in it, and could potentially have a hyphen as well (e.g. I guess I'll have to wait for ISPC v3 and those nifty virtual user names.

    I still think if ISPC would use Linux's "passwd" hashing algorithm it wouldn't be a problem, as that resolved the issue for me. Maybe I'll write a script to allow new customers to create their own "special character" passwords, put it in a web form on an SSL site, and that will be that - at least for now. Thanks for your advice.
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    ISPConfig has the Domain option beacuse some poeple wanted it even if it causes problems. Thats why it is not used by default and we dont recommend to use it.

    I think the best solution will be that we will disable the special characters in password chars until the issue is fixed in the PHP crypt function.
  14. heftigrat

    heftigrat New Member

    That makes sense, I could live with that. If it doesn't work, don't allow it! :)

    Any idea when they'll fix PHP?
  15. till

    till Super Moderator Staff Member ISPConfig Developer

    I'am just testing the latest PHP 5.1.x release with ISPconfig, maybe that solves it.
  16. heftigrat

    heftigrat New Member

    Rockin'! Let us know how it goes. Thanks!!!:D
  17. bersi

    bersi New Member

    I had the same

    Well i encountered the same behavior but not on all accounts. The passwords have !@% and the like characters and the usernames are webxx_username where username can have - or _ characters. I dont know why but there are 100 pop accounts, just some of them recently showed this behavior (linux update??)

    Anyway the brand new ISP config 2.2.8 seems to have solved this!


Share This Page