• 10 dec 2017: forum version update. In case of issues use this topic.
  • 30 nov 2017: pilight moved servers. In case of issues use this topic.
Hello There, Guest! Login Register

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
This post is not a question, but just my experience that I thought was worth sharing.

Today I updated to the latest nightly and I couldn't login to the pilight webpage anymore.

After looking at the github commits I found out why (I had to look multiple times)
The reason is that the password now needs to be encrypted with a SHA256 hash.

How to do this was described in 1 commit:
Quote:Use the new tool pilight-encrypt to generate the SHA256 hash used in pilight.

I tried this, but it didn't work, so I looked at the forum/wiki/nightly page/development page, but nothing there. Then I looked again at the commits and found a commit with the cryptic description "Rename encrypt to sha256"

This cryptic description means that the command pilight-encrypt was renamed to pilight-sha256 and needs to be used as followed:

pilight-sha256 -p yourpasswordhere

This will generate a SHA256 hash from your password, that needs to be used in your config.json

"webserver-authentication": [ "username", "your SHA256 hash goes here" ]
thanks that was the page i was looking for.

some things to keep in mind.
it works fine for the default webportal.
however the android app can simply connect without the authentication (no iphone / windows phone to check but i think it is the same)

i also found my super secret testing password in the log:
[May 23 19:48:04:173216] pilight-daemon: INFO: caching sha256 hash for friet
strange enough there is no username found in the log
The android app and webGUI simply use very different authentication techniques. The webGUI uses the default HTTP protocol authentication while the android app use plain socket connections.

I ofc will remove the sha256 log message like this. You can use the whitelist feature to only allow certain IP addresses.
It would be nice if this password encryption is also applied to the smtp-password.
That's not possible because we need to be able to send the password to the externel server, so it's need to be decodable.
I have recently updated to pilight 7.0 and since then I cannot login to the GUI anymore.
Everything works well except the authentication and I am sure that the config file is correct.
I have generated sha256 hash for password using the pilight-sha256 command.
The log file does not really give any ideas about the problem.
When I run the daemon in a debug mode and try to login it only says "pilight-daemon: INFO: chached new sha256 hash". Before the login fails the CPU usage reaches 100%.
PS There's also a small typo "chached" in the log message.
Can you check what thread is running at 100%?

Possibly Related Threads...
Thread Author Replies Views Last Post
  [Already fixed in 8.1.2] Loss of webserver-connection Ulrich.Arnold 34 4,775 08-02-2019, 02:25 PM
Last Post: curlymo
  Webserver (REST API) - POST TopdRob 7 2,224 10-25-2017, 11:17 PM
Last Post: curlymo
  webserver-authentication problem with some browsers MorfelPi 4 2,233 09-21-2016, 06:59 PM
Last Post: Emiks5
  Using API webserver send page "message":"failed" fips 1 1,757 01-08-2016, 09:21 AM
Last Post: fips
  getting values from pilight if webserver-authentication enabled shelby_cobra 2 2,207 06-03-2015, 11:35 PM
Last Post: shelby_cobra
  [Fully Supported] SSL support in webserver? Karel 18 12,786 05-29-2015, 10:26 PM
Last Post: curlymo
  Using API webserver send page gerrit312 5 3,886 05-28-2015, 01:37 PM
Last Post: diman87
  remote-access to pilight webserver, ipv6 shelby_cobra 9 3,781 05-14-2015, 11:46 AM
Last Post: curlymo

Forum Jump:

Browsing: 1 Guest(s)