• 10 dec 2017: forum version update. In case of issues use this topic.
  • 30 nov 2017: pilight moved servers. In case of issues use this topic.
Hello There, Guest! Login Register


Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
webserver-authentication
#1
This post is not a question, but just my experience that I thought was worth sharing.

Today I updated to the latest nightly and I couldn't login to the pilight webpage anymore.

After looking at the github commits I found out why (I had to look multiple times)
The reason is that the password now needs to be encrypted with a SHA256 hash.

How to do this was described in 1 commit:
Quote:Use the new tool pilight-encrypt to generate the SHA256 hash used in pilight.

I tried this, but it didn't work, so I looked at the forum/wiki/nightly page/development page, but nothing there. Then I looked again at the commits and found a commit with the cryptic description "Rename encrypt to sha256"

This cryptic description means that the command pilight-encrypt was renamed to pilight-sha256 and needs to be used as followed:

Code:
pilight-sha256 -p yourpasswordhere

This will generate a SHA256 hash from your password, that needs to be used in your config.json

Code:
"webserver-authentication": [ "username", "your SHA256 hash goes here" ]
 
Reply
#2
hey
thanks that was the page i was looking for.

some things to keep in mind.
it works fine for the default webportal.
however the android app can simply connect without the authentication (no iphone / windows phone to check but i think it is the same)

i also found my super secret testing password in the log:
Code:
[May 23 19:48:04:173216] pilight-daemon: INFO: caching sha256 hash for friet
strange enough there is no username found in the log
 
Reply
#3
The android app and webGUI simply use very different authentication techniques. The webGUI uses the default HTTP protocol authentication while the android app use plain socket connections.

I ofc will remove the sha256 log message like this. You can use the whitelist feature to only allow certain IP addresses.
 
Reply
#4
It would be nice if this password encryption is also applied to the smtp-password.
 
Reply
#5
That's not possible because we need to be able to send the password to the externel server, so it's need to be decodable.
 
Reply
#6
Hello,
I have recently updated to pilight 7.0 and since then I cannot login to the GUI anymore.
Everything works well except the authentication and I am sure that the config file is correct.
I have generated sha256 hash for password using the pilight-sha256 command.
The log file does not really give any ideas about the problem.
When I run the daemon in a debug mode and try to login it only says "pilight-daemon: INFO: chached new sha256 hash". Before the login fails the CPU usage reaches 100%.
PS There's also a small typo "chached" in the log message.
 
Reply
#7
Can you check what thread is running at 100%?
 
Reply
  


Possibly Related Threads...
Thread Author Replies Views Last Post
  [Already fixed in 8.1.2] Loss of webserver-connection Ulrich.Arnold 34 2,654 08-02-2019, 02:25 PM
Last Post: curlymo
  Webserver (REST API) - POST TopdRob 7 1,752 10-25-2017, 11:17 PM
Last Post: curlymo
  webserver-authentication problem with some browsers MorfelPi 4 1,905 09-21-2016, 06:59 PM
Last Post: Emiks5
  Using API webserver send page "message":"failed" fips 1 1,544 01-08-2016, 09:21 AM
Last Post: fips
  getting values from pilight if webserver-authentication enabled shelby_cobra 2 1,819 06-03-2015, 11:35 PM
Last Post: shelby_cobra
  [Fully Supported] SSL support in webserver? Karel 18 11,537 05-29-2015, 10:26 PM
Last Post: curlymo
  Using API webserver send page gerrit312 5 3,521 05-28-2015, 01:37 PM
Last Post: diman87
  remote-access to pilight webserver, ipv6 shelby_cobra 9 3,365 05-14-2015, 11:46 AM
Last Post: curlymo

Forum Jump:


Browsing: 1 Guest(s)