Changing password in the admin panel leads to that the user cannot login at all anymore
famedly-bot opened this issue · comments
In GitLab by @nikzen on Nov 16, 2022, 16:47
Summary
If you change the password in the admin panel, you cannot login with the password anymore.
Steps to reproduce
- change password of user in the admin panel
- user cannot login with the new password / user cannot login with the old password
Log
UIA Proxy
Nov-16 15:40:06.975 [StageHandler (login)] info: Handling GET endpoint...Show context
Nov-16 15:40:06.176 [StageHandler (login)] info: Fetching parameters...
Nov-16 15:40:06.172 [StageHandler (login)] info: User didn't manage to complete this stage
Nov-16 15:40:06.172 [PasswordProvider Ldap] info: Invalid username/password
Nov-16 15:40:06.172 [PasswordProvider Ldap] info: getLoginInfo: Could not find or authenticate test_niklas, aborting
Nov-16 15:40:06.171 [PasswordProvider Ldap] info: ldap: Invalid username/password for dn=uid=test_niklas,ou=users,dc=dev-alpha,dc=famedly,dc=de
Nov-16 15:40:06.129 [PasswordProvider Ldap] info: Checking password for test_niklas...
Nov-16 15:40:06.128 [StageHandler (login)] info: Stage is valid
Nov-16 15:40:06.127 [StageHandler (login)] info: Requesting stage m.login.password...
Nov-16 15:40:06.126 [StageHandler (login)] info: Got request
Admin API
Nov-16 15:42:54.736 [Ldap] verbose: disconnecting adminShow context
Nov-16 15:42:54.736 [Ldap] verbose: uid=test_niklas,ou=users,dc=dev-alpha,dc=famedly,dc=de is in cn=admins,ou=groups,dc=dev-alpha,dc=famedly,dc=de: true
Nov-16 15:42:54.732 [Ldap] verbose: is member "uid=test_niklas,ou=users,dc=dev-alpha,dc=famedly,dc=de" in group "cn=admins,ou=groups,dc=dev-alpha,dc=famedly,dc=de"?
Nov-16 15:42:54.700 [Ldap] verbose: findUser username=test_niklas in ou=users,dc=dev-alpha,dc=famedly,dc=de
Nov-16 15:42:54.693 [Ldap] verbose: changeUser: for uid=test_niklas,ou=users,dc=dev-alpha,dc=famedly,dc=de set userPassword={SSHA}wKjFfEAMikVjaUg7DTMHTvFYGKYXwpCvUgeX\\+CaE/8vrlkXTrzygyTXLh92s2gw5DxeAMA==
Nov-16 15:42:54.685 [Ldap] verbose: Altering user with uid test_niklas
Nov-16 15:42:54.685 [Ldap] verbose: uid=test_niklas,ou=users,dc=dev-alpha,dc=famedly,dc=de is in cn=admins,ou=groups,dc=dev-alpha,dc=famedly,dc=de: true
Nov-16 15:42:54.681 [Ldap] verbose: is member "uid=test_niklas,ou=users,dc=dev-alpha,dc=famedly,dc=de" in group "cn=admins,ou=groups,dc=dev-alpha,dc=famedly,dc=de"?
Nov-16 15:42:54.640 [Ldap] verbose: findUser username=test_niklas in ou=users,dc=dev-alpha,dc=famedly,dc=de
Nov-16 15:42:54.639 [Ldap] verbose: successfully bound user=admin with dn="uid=admin,ou=users,dc=dev-alpha,dc=famedly,dc=de"
Nov-16 15:42:54.634 [Ldap] verbose: trying to bind dn=uid=admin,ou=users,dc=dev-alpha,dc=famedly,dc=de for user=admin with given password
Nov-16 15:42:54.631 [Ldap] verbose: found dn=uid=admin,ou=users,dc=dev-alpha,dc=famedly,dc=de for user=admin
Nov-16 15:42:54.618 [Ldap] verbose: searching with bindUser for admin
Nov-16 15:42:54.610 [Ldap] verbose: binding with bindUser=uid=admin-api,ou=services,dc=dev-alpha,dc=famedly,dc=de
Nov-16 15:42:54.599 [Ldap] verbose: trying to authenticate admin
Service & Version
- Admin API
- Admin Panel
- UIA Proxy
Platform
- Chrome
Severity
Here are some questions to guide you:
- Is the feature still working? No
- Are other feature affected by the bug? Yes
- Can the bug be workarounded? No
Possible fixes
DoR - Checklist
- The issue title and description is explained in English language.
- Description of current and expected behavior is understood.
- If necessary, reproduction steps are included.
- Every attached media (if applicable) includes a short description.
- Bug can be reproduced in the latest development version.
- Severity is understood.
- Responsible squad has been identified (Issue is labeled)
- There is a list of affected components if needed.
- There is an estimate on the effort to fix the bug.
In GitLab by @lrsksr on Dec 5, 2022, 13:48
To which passwords are you trying to change? I can reproduce with passwords that are very weak, but not with higher entropy passwords.
At first I suspected that LDAP refuses the weak passwords, but it only gets a hash, so it shouldn't be able to tell.
In GitLab by @jdreichmann on Dec 7, 2022, 14:12
Is this only from the admin-panel or also via UIA proxy?
In GitLab by @nikzen on Dec 9, 2022, 09:49
This is also not possible using the app
In GitLab by @jcgruenhage on Jan 12, 2023, 10:54
Ran into this one yesterday while resetting a password, and others have reported this as well, we should look into this some more.
In GitLab by @jcgruenhage on Jan 12, 2023, 10:55
Loglevel has been increased, and @agraven and @kate-shine have been granted access to the test machines.
In GitLab by @ghost on Jan 12, 2023, 11:06
What should I tell the customer, when this will be fixed? Can you give an assessment?
In GitLab by @agraven on Jan 12, 2023, 11:14
I'm attempting to gather enough information to give an estimate now
In GitLab by @ghost on Jan 12, 2023, 11:15
thx a lot!
In GitLab by @agraven on Jan 12, 2023, 12:16
Research notes: Something that's not the password the end user typed is getting fed to the hashing algorithm. The logs print what the resulting hash of the password is when it's reset. I tried resetting the password of a test user in integration-tests
and verifying it by hand, which didn't work.
To illustrate, I did a reset with which resulted in the hash {SSHA}QEF8NmR/JZ\\+JRRFMHXMGoRXPcqms8c9HpAW5FG99oz49xcLVp7WB913ys/WOyY\\+NDBWUMQ==
and ran the following in the Node.JS REPL:
> const ssha = require('ssha')
undefined
> const password = <redacted>
undefined
> ssha.verify(password, '{SSHA}QEF8NmR/JZ\\+JRRFMHXMGoRXPcqms8c9HpAW5FG99oz49xcLVp7WB913ys/WOyY\\+NDBWUMQ==')
false
> ssha.verify(password, ssha.create(password))
true
(I probably don't need to redact he password here, but I'm erring on the side of caution.)
I have yet to determine if the input password is getting modified in the frontend or the backend
In GitLab by @agraven on Jan 12, 2023, 12:18
Ok, have verified it's in the backend somewhere
In GitLab by @agraven on Jan 12, 2023, 13:20
The source of the issue has been narrowed down a good bit, but it's exact cause is proving very hard to find. If I'm lucky it could take only a few days to fix, but worst case it may take a whole week.
In GitLab by @nikzen on Jan 16, 2023, 11:59
mentioned in issue undefined##undefined
In GitLab by @nikzen on Jan 16, 2023, 19:27
Okay I found the root-cause of the issue:
It seems that sometimes the new password hash consists of \\
Everytime when this is the case, it is not possible to login again:
Broken:
userPassword={SSHA}n4pY8IG4fYldzbdyMpfJW11ilQa674IuZPGLF/zcZShWfWs7nlW\\+pDilXQYq4Q\\+XyQ9FYw==
userPassword={SSHA}0VafBSqL8qhnUFIK\\+J9kvqW7aZmWBaomE331PQpPDUeCzmX6VX75rcvpyQcHOjyxTbcP8g==
userPassword={SSHA}1R8olnsRHZm/V9GC89rKDh2bNCk9E7c2Wn/Yz\\+LoDayypFlX/zYAjsLduMD1yvhhw8E\\+yQ==
Not Broken:
userPassword={SSHA}vkb1RL75LQcgd6nTyXScUcGeeNMPodZbUXMpu430OohrjEoxdZzkk2QZvri44jcniQgNoA==
userPassword={SSHA}pdqplkkwwimHIe5cVTiZUruueXEkovQPHQxvNQBhMQiEqFDT3yA9dtOoll0vTGiho3blsQ==
It seems, that the hash is not properly escaped. To fix the issue, we should think about to implemnt ppolicy on the openldap side and send the password as plaintext to the ldap. This change would need to be implemented:
- admin-api
- openldap
- uia-proxy
In GitLab by @nikzen on Jan 16, 2023, 19:28
made the issue confidential
In GitLab by @nikzen on Jan 16, 2023, 19:28
moved from undefined##undefined
In GitLab by @nikzen on Jan 17, 2023, 09:05
moved to admin-api#56