Solution to invalid username or password problem after installation

[TurabG]

Hi all.

There are some old threads asking questions about the wrong credentials error while they are sure the information they have is actually correct. I had the same problem today and "password reset" which is suggested in those threads didn't help me. Since I can't reply those old threads, I wanted to share my experience for the Googlers.

The problem seems to arise when your instance doesn't have a static IP and probably that you don't have a password meeting the FusionPBX standard. (Mine didn't because I have installed a local instance for testing and learning purposes.) When your network refreshes and the instance changes the local IP, FusionPBX creates a new domain under this new IP. Now you have two domains in FusionPBX. This causes logging in with a bare username to be impossible. You now have to type in your username like admin@domain or admin@ipaddress, but since your password doesn't meet the standard, it won't let you login, although the credentials are correct. There you are locked out.

I think this is a bug. The system doesn't allow you to edit your password and choose a simple one. It enforces you to use a complex one by default. However it allows literally any password during the first creation of the user after installation. It shouldn't allow you there either. Both for security and this kind of lockout issues.

How can you solve the problem? First of all, you need to follow the password reset instructions in the documentation.

What I would like to add differently is;

1- Documentation misleads you when it says it is password reset. The procedure is actually NOT "password reset". It is actually creating a new user. As shallowly mentioned in the documentation, you need to create a new user here. You can not reset an existing user's password by just leaving "admin" (which if filled by default) in the username field and typing in a new password. This won't work although the procedure says the operation was successful which I think is another bug. So for example you need to create "admin2" with a new password. (Then you can reset the password of an existing user after you log in with your new user.)

2- You must use a complex password which only the profile page warns you about. Minimum 12 characters long and which has at least one number, lowercase letter and an uppercase letter. Installation script doesn't warn you about this complexity level and moreover it even allows you to create one which doesn't comply to this rule. Then you lock yourself out of the panel under certain circumstances.

 

[hfoster]

I don't think what you're stating is entirely correct. It only creates one domain, and that's during the bash script installer. It performs a dumb check once:

domain_name=$(hostname -I | cut -d ' ' -f1)

and then inserts a ton of SQL with that name as your domain. You can change your network infinitely after that and unless you create a new domain, it will remain the same.

I think you may have actually fallen foul of the multiple authentication attempts checker:

/core/authentication/resources/classes/authentication.php

//automatically block multiple authentication failures
if (!isset($_SESSION['users']['max_retry']['numeric'])) {
$_SESSION['users']['max_retry']['numeric'] = 5;
}
if (!isset($_SESSION['users']['find_time']['numeric'])) {
$_SESSION['users']['find_time']['numeric'] = 3600;
}

5 strikes, and you won't validate for an hour. It doesn't let you know this, for obvious but frustrating reasons. You can see in the 'User Logs' if that is the case, you should see 5 failures on 'Show All'.

This class doesn't check the complexity of the password, only the forms where you can edit it do that. Sometimes via Javascript, sometimes via PHP.

 

[TurabG]

I installed Fusion on a local machine with a local IP of 10.0.0.170. I wandered around the admin panel a couple of minutes to learn it. Then I shut the machine down. After 3-4 days, I powered it up, not noticing the local IP has changed, I just entered the admin panel with the new IP (which I learnt from the console by "hostname -I", because I didn't remember its IP, expectedly), it was 10.0.0.175. Then I entered the correct credentials of which I am very, very sure, because I used "1" as password during installation, which is all the time I do with demo installations and even the root password and even the user password of this very machine is still "1", and I logged in and out a few times after the installation with that password. It means there is no way I could enter this one-character password incorrect for 5 times.

It is only after I struggled with the password reset procedure I noticed that there are two domains as 10.0.0.170 and 10.0.0.175 which I am sure I have never created (and why would I) because I didn't even know how to I just oversaw what the menus were post installation and then shut the machine down, never changed a setting and never created a domain and yet it was there.

By the way, you wouldn't understand from the user log, because that is the problem already, which denies you logging in while credentials are correct. So of course you will see login failures in the log, that is the problem in the first place. And when I look at the errors, I can see that the first failures' domain column is empty but after some time, the subsequent errors have a domain which is the new local IP, like exactly I told how. The first failures didn't have domain because the installation didn't have more than one. But after a few days, domain appears in the failure entries.

 

[TurabG]

Update for confirmation: Today I booted up my learning instance and after more than 2 weeks, it now has a new local IP and just like I described in the first topic, I am locked out. I can not login with the correct password, even with and without @domain_name in the username. This time password is complex enough to meet Fusion default standard, but nevertheless, it locked me out. I have been working on this instance for about 2-3 weeks without a problem, and this time the complex password is saved to the browser. But it will just say that the login information is incorrect.

Edit: I installed a production candidate on a remote VPS and it happened again. After I changed the dedicated FQDN, I am locked out, no matter if I type the domain or not, it just doesn't let me login.

 

[shoaibsheikh786]

i was banging my head on this for last 10-15 minutes and then i came across this post, and needless to say this is the solution, its very frustrating that the documentation of fusionpbx is also wrong on this