After password change 504 on user login and console user password wrong

Support
,
1

What type of hardware are you using: Internet Cube with VPN
What YunoHost version are you running: 12.0.11
How are you able to access your server: The webadmin
SSH
Direct access via physical keyboard/screen
Are you in a special context or did you perform specific tweaking on your YunoHost instance ?: /

Describe your issue

English:

Hello everyone! :smiley:

The main objective was to change the password for Myuser with new-password
I did that through the webadmin interface (with Myuser logged in) in Users>Myuser>Edit Myuser account> password and confirm

Note : Myuser is in the admin group
After that done, several unexpected things happened:

  • Connected with SSH (keys) with my Myuser, impossible to use sudo or the new-password (failed and emailed root that it failed)
  • Same situation as above, with old-password: incorrect password
  • Connection with serial directly on the board: Impossible to login with Myuser (still able to use root if needed)
  • Login in the User portal with Myuser new-password: 504 error.
  • Login in webadmin with Myuser: OK! but first time that the message “Waiting for the server response
” appears on webadmin login in my yunohost experience
  • All the api connections (calendars baikal, email, xmpp, 
 ) are working with new-password
  • Changing the password again is giving same issues as above

Workaround solution on User portal: Increase timeout in nginx for the 504, but it’s not de root of the issue I believe.
Where to look (from my limited expertise):

  • slapd/ LDAP doesn’t set the system password correctly
 hash not ok/different in pwd?
  • Changing the password of Myuser through the webadmin while having the Myuser connected creates conflict?
  • Try to change the password in the system/linux where it seem different than the rest? knowing all the apps are working besides the linux user.
  • Is there a link between the password (length? special characters?..) and the different places it has to be set?

French:

Bonjour a tous! :smiley:

Le principal objectif a atteindre ici etait de changer le mot de passe pour Myuser par nouveau-mdp
J’ai fait ca en utilisant l’interface webadmin du site (avec Myuser connecte) en allant dans Users>Myuser>Edit Myuser account> password and confirm
Note: Myuser fait partie du group admin.
Apres avoir fait cela, il y a eu plusieur chose qui ne sont pas normales:

  • Etant connecte en ssh (par clefs) avec Myuser, il est impossible d’utiliser l’elevation de droit avec nouveau-mdp (sudo) - password errone et petit message enervant de root qui est pas content
  • Meme situation en essaynt de se connecter avec ancien-mdp: password incorrect
  • En se connectant sur le serial de la board: impossible de se login avec Myuser nouveau-mdp (mais j’ai toujous root si jamais)
  • Test de se connecter avec Myuser sur le portail yunohost : El famoso “504”
  • Test de se connecter sur le webadmin avec Myuser nouveau-mdp: OK! mais premiere fois que la page dit qu’il faut attendre le server au login webadmin “Waiting for the server response
”
  • Toutes les connections indirecte au portail (calendrier baikal, email, xmpp
) ca fonctionne.
  • Changer le mot-de-passe a nouveau donne les memes resultat.

La solution derivee qui aide pour se connecter au portail: augmenter le timeout sur la conf nginx, mais c’est pas ca le souci a mon avis.
La ou je pense qu’il faut investiger (avec mon expertise limite):

  • slapd/ldap qui n’as pas cascade le nouveau-mdp correctement
 le hash est pas correct/different pour pwd?
  • Le changement du mdp de Myuser PAR Myuser en tant qu’admin a mis une sorte de conflit?
  • Essayer de changer le mot de passe cote systeme? Pour finaliser le changement completement? (sachant que tout le reste est content)
  • Il y a-t-il un lien entre le mot de passe (longeur? Charactere?..) et les different endroit ou il dois etre mis a jour?

This is all connected to previous issues in this forum, not sure that others said they could not use their password in console

/
Tout ca est connecte au posts precedant dans le forum, pas sur que les autre ai dis qu’il n’arrivait plus se connecter en console.

https://forum.yunohost.org/t/erreur-504-via-yunohost-sso-portalapi-debian-bookworm-suite/34553/3

Share relevant logs or error messages

$ sudo yunohost tools regen-conf slapd --with-diff --force
[sudo] password for Myuser: new-password typed
Sorry, try again.

[POST] “https://mydomain.web/yunohost/portalapi/login”: 504

[error] 1364#1364: *12029 upstream timed out (110: Connection timed out) while reading response header from upstream, client: 10.0.242.11, server: mydomain.web, request: “POST /yunohost/portalapi/login HTTP/2.0”, upstream: “http://127.0.0.1:6788/login”, host: “mydomain.web”, referrer: “https://mydomain.web/yunohost/sso/login?(....)”

Edit: realized I was rude and didn’t say Hi, sorry / Je m’en veu, je n’avais pas dis bonjour dans mon post, dĂ©solĂ© :dotted_line_face:

2

Good evening! :smiley:

I feel alone here :face_in_clouds:

Something I tried recently is to change the password using the root login (using serial on the board) but same result the change happens and login with serial is still incorrect.
On the rest of the apps, all is good, they received the new password and are happy about it. Just nginx 504 when using user portal and login with user in terminal with password is not working.

My question is, can I try to mess with LDAP to set the password to linux Myuser to sync all of them?
Or is that a bad idea?

Edit: didn’t say hi, sorry about that :pensive_face:

3

Hello everybody!

So, I was thinking about the issue and wondered, could there be some debug option on the password change?

To see what happens on password change

4

Good evening,

My status so far:
I added the timeout option to the nginx config as mentioned here. That got me back in for the user portal.

Still I can’t use sudo with my user and I thought why not try to ‘sync’ the password with what yunohost knows:
when I run the passwd command (be it with root or myuser)
i get the following same answer :

(current) LDAP Password: 
passwd: Authentication token manipulation error
passwd: password unchanged

and with root :

LDAP administrator password: 
passwd: Authentication token manipulation error
passwd: password unchanged

The error is normal? In both case?

How is the login system checking the security?