[Bug]couldn't login with my admin password with the error message : invalid username or password

hestiacp / hestiacp

Hestia Control Panel | A lightweight and powerful control panel for the modern web.

https://hestiacp.com

GNU General Public License v3.0

3.4k stars 680 forks source link

[Bug]couldn't login with my admin password with the error message : invalid username or password #3354

Closed eltinh closed 1 year ago

eltinh commented 1 year ago

Describe the bug

just installed hestia on ubuntu, but couldn't login with my admin password with the error message : invalid username or password.

Tell us how to replicate the bug

Tried below methods, but still couldn't resolve the problem

reset the admin password
reinstall the ubuntu and hestia

Which components are affected by this bug?

Control Panel Installation or Upgrade

Hestia Control Panel Version

1.6.14

Operating system

ubuntu 2204

Log capture

2023-03-13 11:21:25 v-add-user-sftp-jail  'syslog' 'no' [Error 3]
2023-03-13 11:21:25 v-add-user-sftp-jail  'syslog' 'no' [Error 3]
2023-03-13 11:23:54 v-list-web-domain  'admin' 'domain' 'plain' [Error 3]
2023-03-13 11:23:55 v-list-web-domain  'admin' 'domain' 'plain' [Error 3]
2023-03-13 11:23:55 v-add-web-domain  'admin' 'domain' '12.34.56.78' [Error 2]

jaapmarcus commented 1 year ago

Check /var/log/hestia/error.log

Make sure that you can accept cookies.

eltinh commented 1 year ago

checked the error.log as the log capture above, pls kindly advise... thx

jaapmarcus commented 1 year ago

And auth.log?

Mel0ne commented 1 year ago

Faced the same problem. Log files are clear. There is a feeling that some character or their sequence "breaks" the authorization. I have not been able to identify the pattern. After changing passwords 4-6 times, I managed to pick up "working". For example, the password that "broke" my authorization: -Eb1fw_CXI_04JSkrYGVyoWkidAutDr9nA

jaapmarcus commented 1 year ago

Interesting one...

Can replicate it. What OS are you running at the moment?

Mel0ne commented 1 year ago

Interesting one...

Can replicate it. What OS are you running at the moment?

Debian 11, 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21) x86_64 GNU/Linux

Mel0ne commented 1 year ago

I discovered this problem a month ago, but did not attach any importance to it because I worked from the terminal. Today it was required to use the web panel, and began to understand.

jaapmarcus commented 1 year ago

root@dev:/var/log/hestia# v-check-user-password admin "-Eb1fw_CXI_04JSkrYGVyoWkidAutDr9nA"
mkpasswd: invalid option -- 'E'
Try 'mkpasswd --help' for more information

mkpasswd "$password" "$salt"

To verify the password causes the issue

Mel0ne commented 1 year ago

root@dev:/var/log/hestia# v-check-user-password admin "-Eb1fw_CXI_04JSkrYGVyoWkidAutDr9nA"
mkpasswd: invalid option -- 'E'
Try 'mkpasswd --help' for more information

mkpasswd "$password" "$salt"

To verify the password causes the issue

Great. In this case, the check for the presence of "-" and "--" at the beginning of the password is missing.

jaapmarcus commented 1 year ago

There is no reason to block the use of -- or - in passwords..

export PASS="$password" SALT="$shadow" hash=$(python3 -c 'import crypt, os; print(crypt.crypt(os.getenv("PASS"), os.getenv("SALT")))');

This works fine only need to verify if python(3) is installed ...

jaapmarcus commented 1 year ago

Have created a PR to use python3 instead of mkpasswd...

eltinh commented 1 year ago

need to use python3 to change password on Hestia server??

jaapmarcus commented 1 year ago