Change in .htpasswd not reflected up to restart script-server

[father-mande]

Hi,

If user password in .htpassword is changed (auth htpasswd) ... the login page always accept the old password value ??? EVEN file .htpassword file is correctly updated ?

seems that .htpassword is read at start of script-server and not reloaded ?? restarting script-server solve the problem and new password is used.

is it possible to force reading .htpassword (if auth htpassd) each time a new login is done ?

Philippe.

[bugy]

Hi @father-mande, may be you can try to install htpasswd utility. In this case script server would pick up the latest changes.

[father-mande]

Hi,

Hum!, I don't understand ... I have htpasswd (from apache 2.4) tools and I use them to change (or create) the password attached to a user (in an .htpassword file )???

The actions I do are : login in script-server ex. me password mypass (OK) use htpasswd to change password of me user by mynewpassord ... htpasswd do the job and file .htpassword associated is modified with new encoded password go back to script-server, logoff then login again script-server ask for password BUT accept ONLY if the previous (mypass) password is used and not the new one (mynewpassword) clear browser cache and exit the browser, and retry restart browser then login in SC and SAME result (old passwd is used) stop / start script-server ... immediately the new password is accepted for login and old rejected.

Is it more clear ?

Philippe.

[bugy]

Hi @father-mande for whatever reason script server cannot find this utility. Because if the utility is there, script server do not cache passwords

Could you check server.log after server startup and look for HtpasswdAuthenticator text. It should be either Using htpasswd utility for password verification or Using built-in encoder for password verification

[father-mande]

hi, grep HtpasswdAuthenticator server.log 2022-08-18 15:21:42,544 [script_server.HtpasswdAuthenticator.INFO] Using htpasswd utility for password verification

Philippe.

[bugy]

It's very strange, this should work. The only thing which script server is doing, is calling htpasswd -bv path_to_file username password

[father-mande]

Hi,

Yes it's very strange ... just remember that restart script-server after changing a password permit to use the new credential ...

and using same command to verify my password provide the correct result ... ex. with my script_amin user (user with script to manage script-server and user itself)

htpasswd -bv .htpassword script_admin mypassword Password for user script_admin correct.

Philippe.

[father-mande]

Hi,

I have also try to clear the cache of my browser and restart it ... did you use cookies ? for credential

Philippe.

[bugy]

If you log in from scratch, then no cookies/cache is used

[father-mande]

Hi, I have redo test on different system with different architecture (arm64 and x86_64) and have same problem ...

... for the moment (and for people using my integration), I force a restart each time a password is changed or a user/password is added, but it's a bad workaround, I have to test if multiple user can be connected on different PC (on a same PC only one instance and one login can be done at the same time) to the same script-server instance ... so in this case, I have to check (if possible) if a script run, to don't break a user works.

Philippe.

[bugy]

Hi, @father-mande I tested it on my machine and it works fine Are you using docker by any chance? Or may be it's windows

[father-mande]

Hi,

Server is a Linux NAS kernel 5.13 htpasswd comes from Apache 2.4, Python is 3.7 ... script-server is in a virtualenv ... each user in script_server deserve scripts for managing an application per user (~150 scripts). ... script_server have a script_admin user for managing itself (NAS is by definition without usual terminal interface for users)

... script-server is used on x86_64, arm (32bts) and arm64 with exactly same structure.

I don't use Docker and generally browser are on Windows 10 or 11 or Linux , browser can be Chrome, Edge, Firefox, Opera, etc.

A user ask for the problem on Asustor forum, but I can reproduce the problem on my own systems.

TODO : . ... restart from scratch ... verify all python modules updated ... redo full test with htpasswd out script-server (even basic had been done)

My temporary workaround works as well, so users is not blocked

Thanks for your help, I will return to you if I understand the problem.

Philippe.

[bugy]

Just to double check on the test case:

• you login with a user
• then you change password for the user
• then you log out for the user
• when you try to log in again, it works only for the old password

Is it correct? The only thing I can assume in this case, is that script server process sees an old version of the file

[father-mande]

Hi,

Correct.

I will check if a new file caching was set on NAS with last update ... (but if it is ... it's abnormal ... I think it's not but I verify ... ) I think test using linux "sync" to force write ... just to verify.

Philippe.

[father-mande]

Hi,

After (lot of tests) and analyze ... I think I have discover the (my) problem ... for the moment all tests seems correct without problem ...

In fact, I don't understand why "old" password is kept in case of the error ? I have, by a soo stupid decision , write the path to file .htpassword in script-server.json using a relative path "auth": { "type": "htpasswd", "htpasswd_path": "../my_data/.htpassword", "expiration_days": 0.2 }, based on the fact I was positioned in script-server folder and my_data at the same level ...

THIS WORKS but in some circumstance ... the PATH become incorrect et a file not found is generated BUT previous password are kept somewhere ???

AFTER using a full path name for .htpassword and tens of test ... seem the problem is solved (To Be Verified by others users)

so it's seems to be 100% my fault ... even I don't see error (unknow file for ex.) ... and old password was always active ???

I continue to run more tests. Thanks again for your help.

Philippe.

[bugy]

I don't fully know how htpassw utility is working. May be, it's keeping a reference to an old file in case it's a relative path :man_shrugging: or just caching it somewhere

[father-mande]

Hi,

Do you think if it is possible to add an optional parameter for htpasswd auth to propose our path to htpasswd program with default the PATH available in the system (which htpasswd) as you used (I think based on auth_htpasswd.py) ?

like "auth": { "type": "htpasswd", "htpasswd_exec_path": "/path/to/htpasswd", "htpasswd_path": "path/to/.htpassword/file", },

Philippe.

[bugy]

Hi @father-mande I'm not sure if this is necessary, one can set this path before calling the script server, e.g. (export PATH="$PATH:/path/to/htpasswd" ; ./main.py)

[father-mande]

Hi, Not really necessary, but more about in my particular context ... NAS is not a pure Linux distro. I understand that you can't manage specific context ... when more standard Linux run as well.

Sorry to had annoyed you with this . Best regards.

Philippe. NB htpasswd have no specific cache and can use relative path or link ... (verified with sync, fsync and vmtouch), but relative path is broken if working directory change (as usual) ... in this case I don't see any error in the server.log ???? But it's closed, I use full path and don't have any more problems (even I wait for users feedback to be 100% sure)

[bugy]

in this case I don't see any error in the server.log ????

yeah, this is strange indeed. But what is even more strange, is that htpasswd continues working and accepts old passwords. So somehow an old file is still accessible

[cybeard]

This may be related to a very similar issue.

System: Asustor AS6604T on 4.1.0.RKM1 script_server ver 1.17.3

After installing via App Central, I attempted to change the default password. Seemed to work, but logging off and back in with new password failed. The old password worked. Found the patch by father_mande (mentioned https://forum.asustor.com/viewtopic.php?f=42&t=11667&start=30) and installed. Tried changing password again. Here is the output from 0_change_current_user_password in the web UI. Still, the system only accepts the old password after logging off.

Password for user script_admin correct.
setting new password to user script_admin
Updating password for user script_admin
Sopt Script-server
sh: can't kill pid 17527: No such process
sh: invalid number 'root'
Stop done
Start Script-server
Start is done

[father-mande]

Hi,

Due to a change in A.D.M. 4.x (Asustor firmware), htpasswd and apache are no more provide IN A.D.M. but as a separate APKG (Asustor Package).

Your error seem to be attached to the fact that htpasswd is not accessible or executable ? Generally if Apache APKG is not installed.

To solve this (temporary, I will write a new update with more control ... sorry I am back today to my lab after a long time ) Open a ssh terminal as root / your_admin_password OR use any administrators user and use sudo -i -u root with your_user_admin_password when require if Apache Web Server APKG is installed do : ln -s /usr/local/AppCentral/httpd-2.4.43/data/binary/bin/htpasswd /usr/builtin/bin/htpasswd ln -s /usr/local/AppCentral/httpd-2.4.43/data/binary/bin/htpasswd /usr/local/bin/htpasswd ... the second ln is in case of some ADM or APKG update that clear /usr/builtin if apache IS NOT installed ln -s /usr/local/AppCentral/scriptserver/my_data/htpasswd.$(uname -m) /usr/builtin/bin/htpasswd ln -s /usr/local/AppCentral/scriptserver/my_data/htpasswd.$(uname -m) /usr/local/bin/htpasswd ... uname -m is to seelct the good htpasswd corresponding to your NAS CPU (arm(v7l), arm64(aarch64), x86_64)

Sorry for the inconvenience .

Philippe.

[father-mande]

Hi,

Please post your question relative to Asustor package in the Asustor forum ... this IS NOT a problem attached to script-server but a problem attached to the port with constraints on NAS.

Regards. Philippe.