3354 [Bug]couldn't login with my admin password with the error message : invalid username or password (hestiacp#3356)

jaapmarcus · web-flow · commit 2616a6b89623 · 2023-03-17T11:01:42.000+01:00
* Fix hestiacp#3354 Replace mkpasswd with python3 * Add option via hestia.conf only to disable ip check In some rare cases some users reported experiencing "random" log outs due to random ip changes. This causes users to logout. As this is a security issue it is "disabled" by default and only change able via hestia.conf by the root user. * Update v-list-sys-config
diff --git a/bin/v-check-user-password b/bin/v-check-user-password
@@ -85,7 +85,14 @@ if [ -z "$salt" ]; then
 fi
 
 if [ "$method" = "yescrypt" ]; then
-	hash=$(mkpasswd "$password" "$shadow")
+	if which python3 > /dev/null; then
+		export PASS="$password" SALT="$shadow"
+		hash=$(python3 -c 'import crypt, os; print(crypt.crypt(os.getenv("PASS"), os.getenv("SALT")))')
+	else
+		# Fall back to mkpasswd as fallback
+		hash=$(mkpasswd "$password" "$shadow")
+	fi
+
 	if [ $? -ne 0 ]; then
 		echo "Error: password missmatch"
 		echo "$date $time $user $ip46 failed to login" >> $HESTIA/log/auth.log
diff --git a/bin/v-list-sys-config b/bin/v-list-sys-config
@@ -100,7 +100,8 @@ json_list() {
         "SERVER_SMTP_SECURITY": "'$SERVER_SMTP_SECURITY'",
         "SERVER_SMTP_USER": "'$SERVER_SMTP_USER'",
         "SERVER_SMTP_PASSWD": "'$SERVER_SMTP_PASSWD'",
-        "SERVER_SMTP_ADDR": "'$SERVER_SMTP_ADDR'"
+        "SERVER_SMTP_ADDR": "'$SERVER_SMTP_ADDR'",
+		"DISABLE_IP_CHECK": "'$DISABLE_IP_CHECK'"
     }
     }'
 }
diff --git a/func/syshealth.sh b/func/syshealth.sh
@@ -198,7 +198,7 @@ function syshealth_update_system_config_format() {
 	# SYSTEM CONFIGURATION
 	# Create array of known keys in configuration file
 	system="system"
-	known_keys="ANTISPAM_SYSTEM ANTIVIRUS_SYSTEM API_ALLOWED_IP API BACKEND_PORT BACKUP_GZIP BACKUP_MODE BACKUP_SYSTEM CRON_SYSTEM DB_PMA_ALIAS DB_SYSTEM DISK_QUOTA DNS_SYSTEM ENFORCE_SUBDOMAIN_OWNERSHIP FILE_MANAGER FIREWALL_EXTENSION FIREWALL_SYSTEM FTP_SYSTEM IMAP_SYSTEM INACTIVE_SESSION_TIMEOUT LANGUAGE LOGIN_STYLE MAIL_SYSTEM PROXY_PORT PROXY_SSL_PORT PROXY_SYSTEM RELEASE_BRANCH STATS_SYSTEM THEME UPDATE_HOSTNAME_SSL UPGRADE_SEND_EMAIL UPGRADE_SEND_EMAIL_LOG WEB_BACKEND WEBMAIL_ALIAS WEBMAIL_SYSTEM WEB_PORT WEB_RGROUPS WEB_SSL WEB_SSL_PORT WEB_SYSTEM VERSION"
+	known_keys="ANTISPAM_SYSTEM ANTIVIRUS_SYSTEM API_ALLOWED_IP API BACKEND_PORT BACKUP_GZIP BACKUP_MODE BACKUP_SYSTEM CRON_SYSTEM DB_PMA_ALIAS DB_SYSTEM DISK_QUOTA DNS_SYSTEM ENFORCE_SUBDOMAIN_OWNERSHIP FILE_MANAGER FIREWALL_EXTENSION FIREWALL_SYSTEM FTP_SYSTEM IMAP_SYSTEM INACTIVE_SESSION_TIMEOUT LANGUAGE LOGIN_STYLE MAIL_SYSTEM PROXY_PORT PROXY_SSL_PORT PROXY_SYSTEM RELEASE_BRANCH STATS_SYSTEM THEME UPDATE_HOSTNAME_SSL UPGRADE_SEND_EMAIL UPGRADE_SEND_EMAIL_LOG WEB_BACKEND WEBMAIL_ALIAS WEBMAIL_SYSTEM WEB_PORT WEB_RGROUPS WEB_SSL WEB_SSL_PORT WEB_SYSTEM VERSION DISABLE_IP_CHECK"
 	write_kv_config_file
 	unset system
 	unset known_keys
@@ -476,9 +476,13 @@ function syshealth_repair_system_config() {
 		$BIN/v-change-sys-config-value "POLICY_CSRF_STRICTNESS" "1"
 	fi
 	if [[ -z $(check_key_exists 'DNS_CLUSTER_SYSTEM') ]]; then
-		echo "[ ! ] Adding missing variable to hestia.conf: DNS_CLUSTER_SYSTEM ('')"
+		echo "[ ! ] Adding missing variable to hestia.conf: DNS_CLUSTER_SYSTEM ('hestia')"
 		$BIN/v-change-sys-config-value "DNS_CLUSTER_SYSTEM" "hestia"
 	fi
+	if [[ -z $(check_key_exists 'DISABLE_IP_CHECK') ]]; then
+		echo "[ ! ] Adding missing variable to hestia.conf: DISABLE_IP_CHECK ('no')"
+		$BIN/v-change-sys-config-value "DISABLE_IP_CHECK" "no"
+	fi
 
 	touch $HESTIA/conf/hestia.conf.new
 	while IFS='= ' read -r lhs rhs; do
diff --git a/install/hst-install-debian.sh b/install/hst-install-debian.sh
@@ -2103,6 +2103,7 @@ write_config_value "SERVER_SMTP_USER" ""
 write_config_value "SERVER_SMTP_PASSWD" ""
 write_config_value "SERVER_SMTP_ADDR" ""
 write_config_value "POLICY_CSRF_STRICTNESS" "1"
+write_config_value "DISABLE_IP_CHECK" "no"
 
 # Add /usr/local/hestia/bin/ to path variable
 echo 'if [ "${PATH#*/usr/local/hestia/bin*}" = "$PATH" ]; then
diff --git a/install/hst-install-ubuntu.sh b/install/hst-install-ubuntu.sh
@@ -2154,6 +2154,7 @@ write_config_value "SERVER_SMTP_USER" ""
 write_config_value "SERVER_SMTP_PASSWD" ""
 write_config_value "SERVER_SMTP_ADDR" ""
 write_config_value "POLICY_CSRF_STRICTNESS" "1"
+write_config_value "DISABLE_IP_CHECK" "no"
 
 # Add /usr/local/hestia/bin/ to path variable
 echo 'if [ "${PATH#*/usr/local/hestia/bin*}" = "$PATH" ]; then
diff --git a/web/inc/main.php b/web/inc/main.php
@@ -66,7 +66,11 @@ function destroy_sessions() {
 }
 
 // Checking user to use session from the same IP he has been logged in
-if ($_SESSION["user_combined_ip"] != $user_combined_ip && isset($_SESSION["user"])) {
+if (
+	$_SESSION["user_combined_ip"] != $user_combined_ip &&
+	isset($_SESSION["user"]) &&
+	$_SESSION["DISABLE_IP_CHECK"] != "yes"
+) {
 	$v_user = quoteshellarg($_SESSION["user"]);
 	$v_session_id = quoteshellarg($_SESSION["token"]);
 	exec(HESTIA_CMD . "v-log-user-logout " . $v_user . " " . $v_session_id, $output, $return_var);

Original file line number	Diff line number	Diff line change
`@@ -100,7 +100,8 @@ json_list() {`
`100`	`100`	`"SERVER_SMTP_SECURITY": "'$SERVER_SMTP_SECURITY'",`
`101`	`101`	`"SERVER_SMTP_USER": "'$SERVER_SMTP_USER'",`
`102`	`102`	`"SERVER_SMTP_PASSWD": "'$SERVER_SMTP_PASSWD'",`
`103`		`- "SERVER_SMTP_ADDR": "'$SERVER_SMTP_ADDR'"`
	`103`	`+ "SERVER_SMTP_ADDR": "'$SERVER_SMTP_ADDR'",`
	`104`	`+ "DISABLE_IP_CHECK": "'$DISABLE_IP_CHECK'"`
`104`	`105`	`}`
`105`	`106`	`}'`
`106`	`107`	`}`