[BlueOnyx:27210] Re: 5211R error GUI login after 2fa

JW Ronken jwronken at gmail.com
Thu Aug 22 13:17:02 -05 2024 

Hi Michael
Thanks for the quick response!

Using the debugmode:
Class "Sonata\GoogleAuthenticator\GoogleAuthenticator" not found


When I check the SERVER tab;
REQUEST_TIME_FLOAT

1724349813.4888																	

REQUEST_TIME

1724349813																	

argv

Array
(
    [0] => auth_check=2FACHECK
)

$_SESSION
KeyValue
__ci_last_regenerate

1724349604																	

expired_url /expired/true/target/login?auth_check=2FACHECK
actual_url login?auth_check=2FACHECK


Which made me check the time but it's 100% correct on using NTP pool.ntp.org
in GMT +2:00

*/usr/sausalito/ui/chorizo/ci4/Modules/Base/User/Controllers/Login.php* at
line *76*

69                 }70             }71             return
$backupCodes;72         }73     }74 75     public function
verifyCode($username, $code) {76         $g = new
GoogleAuthenticator();77         $secretKey =
Login::getSecretKey($username);78 79         // First, check if the
input code is a valid TOTP code:80         if
($g->checkCode($secretKey, $code)) {81             return true; // The
TOTP code is correct82         }83         else {



/usr/sausalito/ui/chorizo/ci4/Modules/Base/User/Controllers/Login.php : 454
  —  User\Controllers\Login->verifyCode

447
$CI->cceClient->authkey($form_data['username_field'], $sessionId);448
449                 bx_error_log("Login.php: Updating Session saved
'System' Object with the full data. auth_stage: $auth_stage");450
           $CI->setSystem($CI->cceClient->get($system['OID'], ''));451
452                 if (($auth_stage === '2FACHECK') &&
(isset($form_data['actual_token_field']))) {453                     //
2FA via Google-Authenticator:454                     if
(!Login::verifyCode($form_data['username_field'],
$form_data['actual_token_field'])) {455
bx_error_log("Login.php: Invalid login attempt due to 2FA failure. I
will remember this!");456
$CI->add_invalid_login();457 458
setcookie("sessionId", 'expired', "0", "/");459
 setcookie("logout", '2fafail', time()+60, "/");460
     @session()->destroy();461
$CI->setUserLogged();



   1.

   SYSTEMPATH/CodeIgniter.php : 927   —  User\Controllers\Login->login ()

   920             $output = $class->_remap($this->method,
$params);921         } else {922             // This is a Web request
or PHP CLI request923             $params =
$this->router->params();924 925             $output =
method_exists($class, '_remap')926                 ?
$class->_remap($this->method, ...$params)927                 :
$class->{$this->method}(...$params);928         }929 930
$this->benchmark->stop('controller');931 932         return
$output;933     }934

   2.

   SYSTEMPATH/CodeIgniter.php : 482   —  CodeIgniter\CodeIgniter->runController
   ( arguments <https://ds50.dyanix.it:81/login?auth_check=2FACHECK#> )

   475             if (! method_exists($controller, '_remap') && !
is_callable([$controller, $this->method], false)) {476
throw PageNotFoundException::forMethodNotFound($this->method);477
       }478 479             // Is there a
"post_controller_constructor" event?480
Events::trigger('post_controller_constructor');481 482
$returned = $this->runController($controller);483         } else {484
           $this->benchmark->stop('controller_constructor');485
     $this->benchmark->stop('controller');486         }487 488
// If $returned is a string, then the controller output something,489
       // probably a view, instead of echoing it directly. Send it
along

   3.

   SYSTEMPATH/CodeIgniter.php : 351   —  CodeIgniter\CodeIgniter->handleRequest
   ( arguments <https://ds50.dyanix.it:81/login?auth_check=2FACHECK#> )

   344 345         // spark command has nothing to do with HTTP
redirect and 404346         if ($this->isSparked()) {347
return $this->handleRequest($routes, $cacheConfig,
$returnResponse);348         }349 350         try {351
return $this->handleRequest($routes, $cacheConfig,
$returnResponse);352         } catch (RedirectException $e) {353
      $logger = Services::logger();354
$logger->info('REDIRECTED ROUTE at ' . $e->getMessage());355 356
      // If the route is a 'redirect' route, it throws357
// the exception with the $to as the message358
$this->response->redirect(base_url($e->getMessage()), 'auto',
$e->getCode());

   4.

   FCPATH/index.php : 68   —  CodeIgniter\CodeIgniter->run ()

   61  *---------------------------------------------------------------62
 * LAUNCH THE APPLICATION63
*---------------------------------------------------------------64  *
Now that everything is setup, it's time to actually fire65  * up the
engines and make this app do its thang.66  */67 68 $app->run();69






Thanks!
Janwillem


On Thu, Aug 22, 2024 at 7:14 PM Michael Stauber via Blueonyx <
blueonyx at mail.blueonyx.it> wrote:

> Hi Janwillem,
>
> > One of our 5211R doesn't allow me anymore to login into the GUI as admin.
> > After entering the 2FA code I get an "internal server error The server
> > encountered an internal error and was unable to complete your request."
> >
> > /var/log/secure shows:
> > Aug 22 16:51:48 ds50 cced(smd)[11928]: PAM unable to
> > dlopen(/usr/lib64/security/pam_cracklib.so):
> > /usr/lib64/security/pam_cracklib.so: cannot open shared object file: No
> > such file or directory
>
> You can ignore that pam_cracklib.so error as it has no relevance to your
> problem and doesn't affect logins.
>
> To see why you get "internal server error" in the GUI you could turn on
> GUI-debugging and that would help us to find the real cause of the problem:
>
> https://www.blueonyx.it/blueonyx-5211r-debugging
>
> > I do have SSH access
> > Any idea for a quick fix or how to enable 2fa temporarily from the
> > commandline?
> As "root" and from the shell run /usr/sausalito/bin/cceclient to fire up
> CCEClient:
>
> [root at server ~]# /usr/sausalito/bin/cceclient
> 100 CSCP/0.99
> 200 READY
>
> In there type:
>
> FIND System
>
> That will report back something like this:
>
> 104 OBJECT 1
>
> In this example it tells us that the 'System' Object has the OID #1.
>
> Then enter this:
>
> SET <OID> gui_2fa = "0"
>
> Replace <OID> with the Object ID that the "FIND System" command had
> reported back. In our case that was the number 1, so we'd use:
>
> SET 1 gui_2fa = "0"
>
> It will report back "201 OK" if the transaction was successful. And that
> then has set 2FA to disabled.
>
> Alternatively: You could run "rm -f ~admin/.google_authenticator" to
> remove the 2FA config file for user "admin". That would allow you to
> login to the GUI as "admin" (without 2FA) and then you could turn off
> 2FA via the GUI.
>
> --
> With best regards
>
> Michael Stauber
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20240822/015de3c7/attachment-0001.html>

More information about the Blueonyx mailing list