Zammad: User password reset doesn't work - user not able to login

Created on 20 Feb 2017 · 20Comments · Source: zammad/zammad

After Update from Zammad 1.2 to 1.3 we have a issue.

When an Agent logs out of Zammad, he can't log in anymore.
Username / Password Wrong

From the Zammad Production log:

INFO -- : Parameters: {"username"=>"[email protected]", "password"=>"[FILTERED]", "fingerprint"=>"1879163988", "session"=>{"username"=>"[email protected]", "password"=>"[FILTERED]", "fingerprint"=>"1879163988"}}
INFO -- : Can't connect to 'localhost', Connection refused - connect(2) for 127.0.0.1:389

We never used an LDAP Server ?!?

Infos:

Used Zammad version: 1.3 (latest from centos repro)
Operating system: (MacOS)
Browser + version: Chrome, Firefox (latest)

bug

Source

jannheider

All 20 comments

Same problem for me.

michilehr on 23 Feb 2017

Reset password for user in admin does also not work.
Reset password via email works and users now can log back in without problem.

michilehr on 23 Feb 2017

We did change the crypt algorithms but old passwords should be compatible.

@thorsteneckel any ideas?

PS: Zammad has already a simple LDAP auth backend (since 1.0). This has not changed in 1.3, you can ignore the "Connection refused" message for now.

martini on 23 Feb 2017

Reset password for user in admin does also not work.

Same here

Reset password via email works and users now can log back in without problem.

This works

jannheider on 23 Feb 2017

🤔 I'll have a look! Sorry for the circumstances.

thorsteneckel on 23 Feb 2017

👍1

We reviewed the changes again and tried to reproduce the behavior. Everything works as expected :/

Can you take a look at your DB: Are there PWs starting with {sha2}? Is the login possible for those users? There should be no password hashes not starting with {sha2} or $argon2i$ . Can you confirm that?

Would it be possible to have a remote session to take a look at the system and db to check for differences? You can contact us via [email protected] .

What we did:

Insert SHA2 hash for PW 'test123' ({sha2}ecd71870d1963316a97e3ac3408c9835ad8cf0f3c1bc703527c30265534f75ae) into the database for a test user
Confirm DB hash as user pw via rails console ✅
Try to login with PW 'test123' ✅
Change PW of user via admin user in the admin interface ✅

Would be great to know where this comes from.... 🤔

thorsteneckel on 23 Feb 2017

Almost all of our agents have "$argon2i$" passwords in the database. Reseting in the user administration does not work for these.

michilehr on 23 Feb 2017

Ah ok! I thought we had some issues with the legacy SHA2 support. Strange. Has someone of you issues while updating? I ask because Zammad generates a random secret which is used for the password generation. This secret should only get set once and shouldn't change anymore -> otherwise it will break all passwords 💡 I can't see any situation in a regular setup where this secret changes after it is set once. I have a feeling that this is the root cause but I'm not able to tell why.

JFI: Still not able to reproduce it. Thanks to @michilehr for the data though... 👍

thorsteneckel on 23 Feb 2017

@michilehr @jannheider is there any chance that you had some issues or uncommon behavior while setting up or updating the database / the system? Like setup, usage, setup again? Or transferring the user table from one Zammad instance into another?

thorsteneckel on 24 Feb 2017

@shakalandy ?

michilehr on 24 Feb 2017

We never had issues while updating, we are using Zammad since first release.
Installed from CentOS repository on a clean server where nothing else was installed.
No user table transfer.

It is very plausible that there might be an issue with the secret key.
Anyway, why are we not able to reset user password in admin, only reset password via email works.

jannheider on 24 Feb 2017

Very strange. I'm can't reproduce the admin PW reset issue either 🤔 Would a remote session (TeamViewer oe) possible to have a look at the system? @jannheider

thorsteneckel on 24 Feb 2017

same for us. I would be happy to give you a teamviewer session @thorsteneckel

michilehr on 24 Feb 2017

Thanks @michilehr for the support on this one. I think we found the cause: The login_failed count won't get reset after a password changes. So the user will never be able to login again 🤖

@jannheider can you confirm this? Can you check if the login_failed count for the affected User is above the limit? You can validate this only by looking in the database: Table users column login_failed. Would be great to get feedback to ensure it's only this one bug.

We'll get on to this and fix it.

thorsteneckel on 24 Feb 2017

👍1

@thorsteneckel
I can confirm this.
User who can't login anymore -> login_failed count > 11

Reset password with "reset password via email", User can login again and login_failed count = 0
Tested several times

Would be nice to see this in the GUI, that user is blocked because of to many failed logins ;)

Thanks for debugging this!

jannheider on 24 Feb 2017

@thorsteneckel thanks for your effort 👍

michilehr on 24 Feb 2017

Thanks for your support guys. Should be fixed with the commit above. Feedback is welcome 🚀

thorsteneckel on 24 Feb 2017

Sorry guys, I just installed zammad (debian 9, repo) and I got the same error. First login went fine but now no user can login. All passwords start with $argon2i$. Any ideas? :(