• [6.7.2] Can't login as root after changing password via Webgui

    m4ck5h4ck

    By m4ck5h4ck

      • Minor

    Steps to reproduce:

     

    1. Go to the webgui > users > root

    2. Change the root password to the following (this was a randomly generated password from a password manager and was only used for this purpose, therefore I am comfortable posting it here): 

    !N'z"':^0zywte8yHUi#,@|gmZ"=i9

    After performing the above steps, I'm unable to log into the webgui as root or ssh into the box as root using the password listed above. Logging into the console similarly fails.

     

    The only way I was able to get back into the webgui was to power down and manually remove the password hash from the shadow file.

     

    Below is the password hash I removed from the shadow file: 

    $5$MRoRGFWJT$cyvo9u.sQdRALjCYjx4hz23KeMnkydMyZELhrrlmxb7

    I'm assuming it has something to do with the special characters used as mentioned in the below thread:

     

    Edit: I initially had my diagnostics folder uploaded, but it was pointed out to me there was some personal information I'm not comfortable posting publicly. I will happily provide the zip to the appropriate staff!

     

     

    Go to reports Stable Releases

    User Feedback

    Recommended Comments

    itimpi
    Quote

    I initially had my diagnostics folder uploaded, but it was pointed out to me there was some personal information I'm not comfortable posting publicly. I will happily provide the zip to the appropriate staff!

    It would be interesting to know what type of information this was as the Diagnostics are meant to be anonymised to avoid exactly this issue.   Maybe there is some further tweak needed.

    Link to comment
    JonathanM
    5 hours ago, bonienl said:

    Do not use quotes in your password.

    I think the point of this report is to complain that the webgui should give an error message and refuse to complete the change when entering a non-valid password instead of accepting it and causing a lock out condition.

    Link to comment
    Cronocide
    8 hours ago, bonienl said:

    Do not use quotes in your password.

     

    Are you seriously implying that the unraid core development team doesn't know enough about accepting user input to accept quotes for a password? This is an entry-level thing guys; it shouldn't take long to fix at all.

    Link to comment
    m4ck5h4ck
    8 hours ago, bonienl said:

    Do not use quotes in your password.

     

    And please change priority, this is not urgent.

    Thank you for your reply, priority has been changed to minor.

    4 hours ago, itimpi said:

    It would be interesting to know what type of information this was as the Diagnostics are meant to be anonymised to avoid exactly this issue.   Maybe there is some further tweak needed.

    The one most concerning to me was that the running list of processes leaked the VPN IP address one of my dockers is connecting to.

     

    The other things were a customized Unraid server name (should be switched to tower as part of the anonymization process IMO) as well as a few share names.

    3 hours ago, jonathanm said:

    I think the point of this report is to complain that the webgui should give an error message and refuse to complete the change when entering a non-valid password instead of accepting it and causing a lock out condition.

    This is exactly the point of the report.

     

    I don't love the answer of "Don't use quotes in your password" nonetheless I agree with jonathanm that some validation that rejects invalid passwords would be nice.

    Edited by MrMackShack
    Changed wording to sound nicer
    Link to comment
    limetech

    This has been fixed for 6.8-rc5, that is passwords can contain single and double quotes.

    Something to be aware of is how white space (space and tab characters) in passwords are handled:

    • all leading and trailing white space is discarded
    • multiple embedded white space is collapsed to a single space character.

    By contrast, encryption passphrase is used exactly as-is.

    • Thanks 1
    Link to comment
    testdasi
    1 hour ago, limetech said:

    This has been fixed for 6.8-rc5, that is passwords can contain single and double quotes.

    Something to be aware of is how white space (space and tab characters) in passwords are handled:

    • all leading and trailing white space is discarded
    • multiple embedded white space is collapsed to a single space character.

    By contrast, encryption passphrase is used exactly as-is.

    I protest this decision! It is unacceptable that I can't use my niche password "                  ". 😂

    Link to comment
    bastl
    1 hour ago, testdasi said:

    I protest this decision! It is unacceptable that I can't use my niche password "                  ". 😂

    Imagine rainbow tables full of emtpy passwords with only your year of birth at the end 😂

    Link to comment
    m4ck5h4ck
    3 hours ago, limetech said:

    This has been fixed for 6.8-rc5, that is passwords can contain single and double quotes.

    Something to be aware of is how white space (space and tab characters) in passwords are handled:

    • all leading and trailing white space is discarded
    • multiple embedded white space is collapsed to a single space character.

    By contrast, encryption passphrase is used exactly as-is.

    Awesome, glad to hear it!

    Link to comment
    limetech
    2 minutes ago, MrMackShack said:

    Awesome, glad to hear it!

    I'm not really happy with this solution because I think password handling should be same as encryption passphrase handling: what you type exactly is exactly what is used, even if you have leading/trailing spaces and/or multiple spaces in a row.  But this will require more changes than I was willing to do and test before releasing this -rc5.  At least the reported issue with quote chars in passwords is addressed.

    • Like 1
    Link to comment


    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Restore formatting

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.

    ×

  • Status Definitions

     

    Open = Under consideration.

     

    Solved = The issue has been resolved.

     

    Solved version = The issue has been resolved in the indicated release version.

     

    Closed = Feedback or opinion better posted on our forum for discussion. Also for reports we cannot reproduce or need more information. In this case just add a comment and we will review it again.

     

    Retest = Please retest in latest release.

    Priority Definitions

     

    Minor = Something not working correctly.

     

    Urgent = Server crash, data loss, or other showstopper.

     

    Annoyance = Doesn't affect functionality but should be fixed.

     

    Other = Announcement or other non-issue.