webmin: Unable to login or change password
Webmin version:
1.960installed from downloded .deb file1.96211111032installed usingupdate-from-repo.sh
Linux version:
$ lsb_release -a
LSB Version: core-9.20170808ubuntu1-noarch:security-9.20170808ubuntu1-noarch
Distributor ID: Ubuntu
Description: Ubuntu 18.04.5 LTS
Release: 18.04
Codename: bionic
$ uname -a
Linux virtual-srv 4.15.0-122-generic #124-Ubuntu SMP Thu Oct 15 13:02:56 UTC 2020 i686 i686 i686 GNU/Linux
The install is not new, I had it running for years and kept updated through the UI. It is a qemu VM running on Proxmox v. 6.2-15 (not sure it matters). Today, after changing my linux user password using passwd in a ssh session, logging in using that username was no longer possible. Root login is disabled, there is no other user available to test, although I can create it if necessary.
Steps to reproduce:
- Change linux password using
passwdin a ssh session; - Try to login to Webmin version 1.960 using the newly changed password: got Login failed error;
- Change webmin password using
changepass.plin a ssh session; made it a really simple and short password to avoid typing mistakes; - Try to login again; got past the login page and onto the page saying You must select a new password to replace your temporary login.
- Used the short and simple password as the current password, another similarly simple and short one for the new password;
- On form submit, devtools console briefly displays a (probably unrelated) error:
Uncaught ReferenceError: $ is not defined at spinner (session_login.cgi:256) at HTMLFormElement.onsubmit (session_login.cgi:28); POSTtopassword_change.cgiresponds withSatus Code: 200 Document follows, the page displays only the error message Failed to change password : The current password is incorrect.
I was completely unable to get past this step no matter what combination of current/new passwords I used, or how many times I rebooted the machine and/or restarted webmin and/or changed password both for the linux and webmin user. There’s always the same error. I don’t understand how could the current password be incorrect since I got past the login screen…
Updating to the development version using update-from-repo.sh made absolutely NO difference.
Please let me know what other information you need to debug this issue, I will be more than happy to assist. Thank you.
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 16
Commits related to this issue
- Use `encrypt_password` in the right context https://github.com/webmin/webmin/issues/1324 — committed to webmin/webmin by iliajie 4 years ago
- Use correct function to validate a password https://github.com/webmin/webmin/issues/1324 — committed to webmin/webmin by jcameron 4 years ago
@jcameron The source of the problem is this.
If Webmin Configuration > Authentication > Webmin password hashing format is set to crypt - all is fine, because this is the format that changepass.pl utility uses. However, this utility disregards MD5 and SHA512. It means that if option
md5passset to1(MD5) or2(SHA512) it wouldn’t work, as the password that is created with this tool is always in crypt format.It never occurred to me that the login page could use a different hashing algorithm than the change password page… maybe because it shouldn’t happen? 😉
I can confirm: changing
md5pass=1tomd5pass=2in/etc/webmin/configand restarting webmin solves the issue. I successfully changed the password and subsequently logged in using the changed password.Thank you for your help. And thank you for your work on this great project!
… or @jcameron perhaps password change tool should consider hashing mechanism set in config?
As a workaround change mentioned above option in
/etc/webmin/configand restart Webmin with/etc/webmin/restartcommand.Easily. Plain text password must be hashed first and two hashed strings compared (stored and newly supplied). If hashing mechanism is different, then produced strings are also not going to match.