cacti auth

Post general support questions here that do not specifically fall into the Linux or Windows categories.

Moderators: Moderators, Developers

Post Reply
Author
Message
solarix
Posts: 20
Joined: Wed Nov 28, 2001 7:00 pm

#1 Post by solarix » Thu Nov 29, 2001 8:21 pm

using cacti 0.6 the auth scheme is broken in the default install.

seems that there needs to be an entry for an allowed host or something?

I get denied access on the first login php logs
[29-Nov-2001 19:35:40] PHP Warning: Supplied argument is not a valid MySQL result resource in /www/htdocs/server/cacti/auth/include/login.php on line 20

mysql logs the expected search with sql connect, and the select admin / admin

Suggestions?

raX
Lead Developer
Posts: 2237
Joined: Sat Oct 13, 2001 7:00 pm
Location: Carlisle, PA
Contact:

#2 Post by raX » Thu Nov 29, 2001 8:58 pm

The first thing to try is redownload cacti:
http://www.raxnet.net/downloads/cacti-0.6.tar.gz

I made some changes to the origional SQL scripts since it was first released. Then run:

mysqladmin -u root -p drop cacti
mysqladmin -u root -p create cacti
mysql -u root -p cacti < SQL

By default the authentication code works fine. You may also want to check the following though:

in include/config.php make sure:
- You have a valid database/database user and password specified
- Make sure the "$path_webroot" is filled in with you apache web root (like /var/www/html)
- Make sure the "$path_webrrd" contains cacti's path within the webroot (like /cacti)

If you do not see the cacti picture on the login screen, your paths are not correct.

Once you login with admin/admin you will be asked to retype a new password.

Ian

solarix
Posts: 20
Joined: Wed Nov 28, 2001 7:00 pm

#3 Post by solarix » Thu Nov 29, 2001 11:18 pm

Hi Ian,

this is the mysql log from login
323305 Query select * from auth_users where username="admin" and password = encrypt("admin",MD5("admin"))
323305 Query insert into auth_log (username,success,attemptedpass,ip) values("admin",0,"admin","208.33.80.102")

this is the query done manually and the resul
mysql> select * from auth_users where username="admin" and password = encrypt("admin",MD5("admin"));
ERROR 1064: You have an error in your SQL syntax near '("admin"))' at line 1

mysql version 3.22.32 (linux)
apache 1.3.14
php 4.0.3pl1 (older I know, however I have requirements... for 4.0.3pl1)

solarix
Posts: 20
Joined: Wed Nov 28, 2001 7:00 pm

#4 Post by solarix » Fri Nov 30, 2001 9:15 am

There is something busted in my encrypt() functions as they are used in the login.php and changepassword.php.

I removed the encrypt() from the query lines, updated the passwords to plain text and login/password changes are effective.

I'll use the mysql password functions to store encrypted passwords, although they fly around the internet in the web forms as plain text...

Thanks for a great tool!

raX
Lead Developer
Posts: 2237
Joined: Sat Oct 13, 2001 7:00 pm
Location: Carlisle, PA
Contact:

#5 Post by raX » Fri Nov 30, 2001 9:39 am

I'll have to look into that bug. I am using MySQL 3.23.36 and the SQL string:

select * from auth_users where username="admin" and password = encrypt("admin",MD5("admin"));

Seems to work ok for me. When I get home tonight I will see about an alternative to the 'encrypt' function. If you know of anything better for this situation feel free to suggest something.

solarix
Posts: 20
Joined: Wed Nov 28, 2001 7:00 pm

#6 Post by solarix » Fri Nov 30, 2001 11:12 am

Let mysql encrypt it with the password() function?

line 25 of changepassword.php
mysql_query("update auth_users set mustchangepassword='',password=PASSWORD('$password') where id='$userid'");

line 19 0f login.php
$res_id_user = mysql_query("select * from auth_users where username='$username' and password=PASSWORD('$password')");

raX
Lead Developer
Posts: 2237
Joined: Sat Oct 13, 2001 7:00 pm
Location: Carlisle, PA
Contact:

#7 Post by raX » Fri Nov 30, 2001 2:24 pm

Your right, the PASSWORD function seems much more appropriate for this situation. I am hoping to add of these changes and get a small release out tonight if time permits.

solarix
Posts: 20
Joined: Wed Nov 28, 2001 7:00 pm

#8 Post by solarix » Sat Dec 01, 2001 10:40 am

mysql-3.23.40 cured all my problems... so far.

raX
Lead Developer
Posts: 2237
Joined: Sat Oct 13, 2001 7:00 pm
Location: Carlisle, PA
Contact:

#9 Post by raX » Sat Dec 01, 2001 11:19 am

Excellent, I probably should start using the PASSWORD() function however since it seems to be more compatible. The only issue is, when users upgrade to version 0.6.1, they will have to change their passwords. No big deal I guess.

Post Reply