Lost password

[StianP]

This is issue that we have experienced before I believe several times. On some occasions the admin pasword is being deleted from the pbx and we can login with no password. As this has happened a number of times before and we haven't got fix for it we have monitoring in to check. It happened twice in last three weeks. The password just went...surely this shouldn't be happening

[Vodia PBX]

This is obviously something that needs to be addressed. I would check if the pbx.xml file time stamp gets updated when you save the super admin password. If not, maybe there is a problem with the permission writing the file. Or sometimes there is a competing second PBX running on the same port and it gets random which one get the HTTP/HTTPS port. 

[StianP]

Yes it was updated. It was possible to log out and back in with new password. This isnot anew issue. It was notified to you several times in the past and still hasn't been taken serious yet

[Vodia Support EU]

Hello StianP,,

I assume that there is ssh access for this system. In any case, I would like to recommend changing the password for this ssh access and not giving it to anyone. I would also recommend that you create a ticket with us, I would like to check the security settings of the PBX. 

 

[StianP]

ssh is by public private key files only. 

There have been tickets created in past for issue and we were told to create password on install and that was issue. We gave up then as we had done that but password keeps getting lost

[Vodia PBX]

SSH is not the problem for sure. It all comes down to the REST API. There are tickets that are two years old, so I take it we are talking about an older version of the PBX? The conclusion in the ticket was that the PBX did not have file system access during the start up of the PBX and was granted later, when it already created a new default configuration with the default password. If you are still running the version, either make sure that the PBX process has file system access from the beginning or upgrade to a later version, where the PBX process verifies that is has file system access before creating a new configuration.

[StianP]

The pbx has and always had file system access. It has always been able to store passwords. In any case it happened again last night and someone changed the password. You should review this post which was started by one of my colleagues

Last night it happened again, password just disapperred. We the password was changed from the web page. We can't be sure any details were lost its been reported to the infoemation commissioners office in the Uk for investigation. I'm sure you'll cooperate with them

[Vodia PBX]

There is no ghost in the machine. Even though it seems otherwise, there is no magic in running software. There are essentially two problems here.

The first one is password security. If someone gets the password to your PBX that should not, yes there will be chaos. We actually did something about it — passkeys make it a lot harder to steal credentials and we expect that users like administrators will gradually migrate to passkeys. But if someone has the password to the server itself (file system), anything can happen. This is a standard problem and it the PBX is just like any other server software. But my feeling is that this is not the case: If your passwords have been stolen, you would probably have many more problems with other accounts that you own.

The other one is what the PBX does. When the PBX starts up the first time after a fresh installation, it needs to set up a default configuration. This includes a default administrator account and password. When the code starts running, it has to make that decision if this the first time it runs or not. For that, it tries to read the configuration — and this was probably the problem: It could not read the file but it could eventually write it and overwrote the existing configuration. The reading and the writing does not necessarily happen within a second. For example, in MacOS when you start a process you get a pop-up to approve file system access for the process which is exactly that problem: It tries to read, which fails and then later when some other setting needs to be written, it still has that initial configuration in memory. In addition, the operating system calculates a hash over the executable image and stores the access rights based on the hash. If you do a software upgrade, the whole thing starts again because the operating system does not trust the new executable. 

If you have two or more processes running the problem is similar. The "sleeping" process eventually wants to write something and the overwrites the configuration of the "active" PBX. This is actually sometimes happening when the installation process manually starts the PBX and the administrator additionally starts the process with the service start command, without prior deleting the already running PBX manually. This is why we recommend a reboot after installation as this avoids that problem and also makes sure the daemon was installed properly. If you don't want to take this step and you know what you are doing, you can at least check with the ps command if there is only one PBX running.

Lastly, we of course want to make this as simple as possible. That is why we have added additional checks for file system access during the start procedure in newer versions. If the PBX has no read and write access, it will exit. This might confuse installers, but at least it does not create hard to understand problem that we are talking about now. 

[StianP]

I know what happens when the pbx starts up first time. We set a password which was done on the initial installation some years ago.

This happens several times recently, always around midnight. The password disappears and we can login with username and no password. it has nothing to do with first use after install and nothing to do with the pbx process restarting.

Quite clear the password is disappearing so ...do you have an explanation and solution or are you going to continue to avoid the issue and not understand our issue.

 

[Martin111]

Hello StianP,

That's not so good what you are reporting, which PBX version are you running right now? You had this reported before directly at Vodia (I think with a ticket)?

[RichardDCG]

6 hours ago, StianP said:

This happens several times recently, always around midnight. The password disappears and we can login with username and no password. it has nothing to do with first use after install and nothing to do with the pbx process restarting.

Quite clear the password is disappearing so ...do you have an explanation and solution or are you going to continue to avoid the issue and not understand our issue.

I have never experienced this and the only time I have heard it is from StianP and rtl's posts.  I assume it is the same server?  It is obviously a concern, I believe rtl was moving to another server.. another Vodia? 

And is this one doing the same thing as the last? 

[StianP]

Yes it was reported in a ticket and it was fobbed off. They thought it was a fresh install and the password hadn't been changed.

Yes we moved to a new server and the issue happened again. Password disappeared completely so server was open to the public. Vodia refuse to believe it happens and won't even try to address the issue. All we get is the stuff you see above seemingly pretending it hasn't really happened.

This time we believe information was removed so we had to report to authorities. They are investigating. The support from Vodia is dire

[Martin111]

I only use this forum for ideas, and enjoy reading here. When I read your case, I became very curious. However, it seems to be an extremely rare problem, I could not find anything else on this topic. However, I would like you to tell me which version you have, we have V67.0.5 here. I'm interested to know if that could happen to us. Thanks

[StianP]

yes 67.0.5 here too. above is link to original post from a colleague. Law enforcement in the uk are looking at it now as we couldn't give explanation even after advising vodia

[Martin111]

This is my version, it scares me. I have just now decided to upgrade my PBX. It would be bad if that were to happen to me as well.

I won't read through all of this again, but I think I read that this is fixed in a more recent version. @StianP, thanks for the tip, now

I know what to do, will probably only help the upgrade.

 

[StianP]

On 4/6/2023 at 6:08 PM, Martin111 said:

but I think I read that this is fixed in a more recent version

Read this rambling post Posted March 31

Given that how can they claim to have fixed it if they haven't a clue what's causing it or more accurately are ignoring it and pretending it doesn't exist. Upgrading doesn't resolve it.

[koolandrew]

Is the procedure for 69.0.x the same as previously to recover lost password, or is that possible any longer with the keys element?

 

Please advise.

[Vodia PBX]

1 hour ago, koolandrew said:

Is the procedure for 69.0.x the same as previously to recover lost password, or is that possible any longer with the keys element?

In 69 you can click on "forgot password" and then use your email address to reset the password. This works also for admin accounts in 69.