New user creation authentication fails

kissev · July 1, 2023, 11:52am

Hello recently deployed passbolt have issues with new users.

your password is part of dictionary

My passbolt is in isolated network without internet connection. During creation of passphrase for new account passbolt tries to check “your password is part of dictionary” Is it possible to disable this kind of checking.

Authentication of new created user fails.

User created in Admin panel receives the email. Entered passphrase and the receive this kind of errors

- When entered not correct passphrase

- When entered correct passphrase.

If I restart server user can login. But then if I create another (new user) it will have same errors until I restart the server.

The deployment done on Oracle Linux server

Duffman · July 2, 2023, 1:00am

Hi @kissev

Your #1
The have I been pwned db of passwords is part of Passbolt. If a Password is in the db you will get that message. Script kiddies use those password dictionaries to have fun. So it is a good idea not to use a password if it is part of a dictionary (database) https://haveibeenpwned.com/

Your #2
Can you please run health check and post any logs info.

Steph · July 3, 2023, 7:49am

Hi @kissev,

As @Duffman said, it’s better to have this kind of checks. However, for some configuration/environment, it is required not to have that external service call. So, what has been done is the following: when a password check is required (during account setup or during the creation of a new password) a call attempt is done and if it fails, we don’t call the service anymore during that process. Instead, a message saying that the password could be in a data breach and we cannot check it.

Also, what I wanted to say as well is that with there is an incoming version that will include password policies management and in it, you will be able to choose to make that external call or not.

P.S.: the call to the service doesn’t send the password in clear, but a hash instead.

kissev · July 3, 2023, 8:38am

Hi mate
I don’t have www-data user in my system, I performed command with nginx account. I’m using the my offline PKI server to issue certificates. As I understood from output there is a problem with the certificate chain I need to add my rootCA to trusted list I think, can someone help me with this issue? Passbolt running on Oracle Linux

su -s /bin/bash -c “/usr/share/php/passbolt/bin/cake passbolt healthcheck” nginx

 ____                  __          ____
/ __ \____  _____ ____/ /_  ____  / / /_

/ // / __ `/ / / __ / __ / / _/
/ / // ( | ) // / // / / /
// _,///./_//__/

Open source password manager for teams

Healthcheck shell

Environment

[PASS] PHP version 8.1.20.
[PASS] PCRE compiled with unicode support.
[PASS] The temporary directory and its content are writable and not executable.
[PASS] The logs directory and its content are writable.
[PASS] GD or Imagick extension is installed.
[PASS] Intl extension is installed.
[PASS] Mbstring extension is installed.

Config files

[PASS] The application config file is present
[PASS] The passbolt config file is present

Core config

[PASS] Debug mode is off.
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to https://test01.test.local
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.

SSL Certificate

[FAIL] SSL peer certificate does not validate
[FAIL] Hostname does not match when validating certificates.
[WARN] Using a self-signed certificate
[HELP] Check Passbolt Help | Troubleshoot SSL
[HELP] cURL Error (60) SSL certificate problem: self-signed certificate in certificate chain

Database

[PASS] The application is able to connect to the database
[PASS] 30 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.

GPG Configuration

[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server OpenPGP key is not the default one
[PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in /etc/passbolt/passbolt.php.
[PASS] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.
[PASS] The server public key format is Gopengpg compatible.
[PASS] The server private key format is Gopengpg compatible.

Application configuration

[FAIL] Could not connect to passbolt repository to check versions It is not possible check if your version is up to date.
[HELP] Check the network configuration to allow this script to check for updates.
[PASS] Passbolt is configured to force SSL use.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[INFO] The Self Registration plugin is enabled.
[INFO] The self registration provider is: Email domain safe list.
[PASS] The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php.
[WARN] Host availability checking is disabled.
[HELP] Make sure this instance is not publicly available on the internet.
[HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
[HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
[PASS] Serving the compiled version of the javascript app.
[WARN] Some email notifications are disabled by the administrator.

JWT Authentication

[PASS] The JWT Authentication plugin is enabled
[PASS] The /etc/passbolt/jwt/ directory is not writable.
[PASS] A valid JWT key pair was found

SMTP Settings

[PASS] The SMTP Settings plugin is enabled.
[PASS] SMTP Settings coherent. You may send a test email to validate them.
[PASS] The SMTP Settings source is: database.
[WARN] The SMTP Settings plugin endpoints are enabled.
[HELP] It is recommended to disable the plugin endpoints.
[HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
[HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.

[FAIL] 3 error(s) found. Hang in there!

Duffman · July 4, 2023, 8:47pm

Hi @kissev

hoping this link can help. maybe an SSL issue?

Steph · July 4, 2023, 10:53pm

Hey @kissev

What said @Duffman could actually help to solve your issues.

Also I was reading your messages again and if SSL fixing is not your solution then it could be the time sync. The authentication process uses GPGAuth which requires decryption and encryption of data. In order to perform cryptographic operation correctly, both the user’s machine and the server need to be sync in time (even some seconds might lead to problems).

On the users’s machine you can check that time is automatically sync and on the server you can run these:

To check if the sync service is running

sudo systemctl status systemd-timesyncd

If it’s not running you can do:

sudo systemctl restart systemd-timesyncd