Demo Discussion
Forum Config Examples Contributions Vulnerabilities
  Discussion forum about ELOG  Not logged in ELOG logo
icon8.gif   User passwords not configurable with loacl passwordfile, posted by KaterKarlo99 on Tue Feb 27 15:11:23 2018 
    icon2.gif   Re: User passwords not configurable with loacl passwordfile, posted by Stefan Ritt on Tue Feb 27 15:32:30 2018 
       icon2.gif   Re: User passwords not configurable with loacl passwordfile, posted by KaterKarlo98 on Wed Feb 28 11:38:23 2018 
          icon2.gif   Re: User passwords not configurable with loacl passwordfile, posted by KaterKarlo99 on Mon Mar 5 14:10:52 2018 
             icon2.gif   Re: User passwords not configurable with loacl passwordfile, posted by Stefan Ritt on Mon Mar 5 14:29:26 2018 
                icon2.gif   Re: User passwords not configurable with loacl passwordfile, posted by KaterKarlo99 on Mon Mar 5 14:44:58 2018 
Message ID: 68750     Entry time: Mon Mar 5 14:10:52 2018     In reply to: 68749     Reply to this: 68751
Icon: Reply  Author: KaterKarlo99  Author Email: katerkarlo99@gmail.com 
Category: Bug report  OS: Linux | Windows  ELOG Version: 3.1.3.1 
Subject: Re: User passwords not configurable with loacl passwordfile 

I'm afraid that there is something wrong because each user will be written with the same (hashed) password to the local password file,
irrespective of the given password within the "new User dialog".

So for instance, every user in my password file lokks like this:

    <name>TestUser1</name>
    <password encoding="SHA256">3c2QQ0KjIU1OLtB29cl8Fplc2WN7X89bnoEjaR7tWu.</password>
    <full_name>TEST User</full_name>
    <last_logout>0</last_logout>
    <last_activity>0</last_activity>
    <email>test@heaven.org</email>
    <inactive>0</inactive>
    <email_notify/>
  </user>
 

"password encoding" has got the same value for each user after creating them with their own passwords....

That's the main issue i have, because i don't know this password and can't set a known one....

frustrating....

any help would be appreciated

 

 

KaterKarlo98 wrote:

Hi Stefan,

thanks for the quick reply.

Yes, i've configured user-level access. Here is my cfg:

[global]
port = 9191
Usr = abc
Grp = abc
SMTP host = mail.xy.at
Protect Selection page =  1
Password file = elog_pw.xml
Logfile = elog_log.txt
Logging level = 2
Admin user = User1, Admin
Self register = 2
Restrict edit = 1
Allow password change = 1

[demo]
Theme = default
Authentication = Kerberos
Comment = General Linux Tips & Tricks
Attributes = Author, Type, Category, Subject
Options Type = Routine, Software Installation, Problem Fixed, Configuration, Oth                                                          er
Options Category = General, Hardware, Software, Network, Other
Extendable Options = Category
Required Attributes = Author, Type
Page Title = ELOG - $subject
Reverse sort = 1
Quick filter = Date, Type

And, yes, the password file is r7w accessible for the elogd:
[root@localhost logbooks]# cat elog_pw.xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<!-- created by MXML on Tue Feb 27 14:54:52 2018 -->
<list>
  <user>
    <name>Admin</name>
    <password encoding="SHA256">3c2QQ0KjIU1OLtB29cl8Fplc2WN7X89bnoEjaR7tWu.</password>
    <full_name>Admin</full_name>
    <last_logout>0</last_logout>
    <last_activity>0</last_activity>
    <email>admin@hell.org</email>
    <inactive>0</inactive>
    <email_notify/>
  </user>
  <user>
    <name>TestUser1</name>
    <password encoding="SHA256">3c2QQ0KjIU1OLtB29cl8Fplc2WN7X89bnoEjaR7tWu.</password>
    <full_name>User1</full_name>
    <last_logout>0</last_logout>
    <last_activity>0</last_activity>
    <email>test@heaven.org</email>
    <inactive>0</inactive>
    <email_notify/>
  </user>
</list>
 

br, Rainer

 

Stefan Ritt wrote:

Have you configures user-level access via

password file = anyfile.pwd

Can your elogd server write to that file?

If yes, can you please post your config file?

Stefan

KaterKarlo99 wrote:

Hi!

Tryed windows an linux version. On booth the "Register new User" dialog is not displaying a password line.
so what password is used for the new user? Further the user can't change his password, because he didn't know the old one.

And if an admin user trys to change the password of an other user, a error is displyed that the old password of the admin user is
wrong and nothing happens with the password of the non-admin user.

elog console (admin user awrzkrz changes the password of testuser1):

GET /demo/?cmd=Config&config=TestUser1&cfgpage=1&admin=1&cfg_user=TestUser1&active=1&new_user_name=TestUser1&new_full_name=TEST+User&new_user_email=test%40heaven.org&cmd=Change+password HTTP/1.1
Returned 1032 bytes
GET /demo/?config=TestUser1&newpwd=test1234&newpwd2=test1234 HTTP/1.1
Returned 20 bytes
GET /demo/?cmd=Change%20password&config=awrzkrz&fail=1 HTTP/1.1
Returned 1215 bytes
 

Thanks for help!

 

 

 

 

ELOG V3.1.5-3fb85fa6