can login with no password

[dc7772000]

Problem: able to log into nagios' web gui with no password even though a password is assigned in both AD & nagios application

Background info: I've been working with Nagios XI so I can replace our aging Nagios 3.06 environment. Since we're also under PCI restrictions, I've also been locking down the Nagios XI server as I move farther along in my testing. At this point I've got LDAP & AD integration working. SSL certs have been applied and SELinux is enforced. While working with the system this morning I entered in my user name and accidently hit the "enter key" instead of my password. I was a bit surprised when the system let me in. It seems nagios will let me in with the correct password and no password. Incorrect passwords are rejected as normal. I assumed it might be part of the ldap/ad integration and created a local (only on the nagios server) user. The local user can get log into nagios with no password. Any idea where I can turn off this no password login?

David

[slansing]

Hmm, do you have automatic login set up for your account? Did this happen when you were creating a new user? Or is this on the nagiosadmin account?

Admin > Automatic Login

I am unable to reproduce this "blank password" Issue on my end.

[dc7772000]

Automatic Login is not enabled. I currently have 2 set ups (dev & lab). Dev does not have SELinux enabled or it's OS locked down while Lab is more secured. Both servers are showing the same behavior. Here's a list of what I did to both servers (config file changes, etc).

Code: Select all

9.	Modify httpd.conf (/etc/httpd/conf/httpd.conf)
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
NameVirtualHost *:80
10.	Add the following lines to nagiosxi.conf (/etc/httpd/conf.d)
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
<Directory "/usr/local/nagiosxi/html">
AllowOverride All
</Directory>
</VirtualHost>
Alias /nagiosxi "/usr/local/nagiosxi/html"
11.	Modify the following line in nagiosxi.conf (/etc/httpd/conf.d)
a.	Remove # from SSLRequireSSL
12.	Add the following line to httpd.conf (/etc/httpd/conf/httpd.conf)
<VirtualHost *:80>
      Redirect / https://dev-nagiosxi01/
</VirtualHost>
NameVirtualHost *:443
13.	Add the following line to config.inc.php (/usr/local/nagiosxi/html/config.inc.php)
a.	Under $cfg['base_url']=”/nagiosxi”; add the following
b.	$cfg['use_https']=true;
14.	Make the following changes to the Nagios web GUI
15.	Under Admin>Manage System Config>Program URL
a.	Change http to https
16.	Next make the following changes from the Nagios GUI
17.	Under Configure>Core Config Manager>Config Manager Admin>Config Manager Settings
a.	Change Server Protocol from http to https
18.	Redirect temp path in nagios.cfg
a.	temp_path=/tmp to /var/tmp

Customizations
1)	Custom Landing Page (Home page) – force users to land on service view
Admin>Manage Components>Home Page Modification
Home Page Destination – Custom URL
Custom URL: https://dev-nagiosxi01/nagiosxi/includes/components/nagiosbpi/index.php

2)	Adjust Nagios Business Process Intelligence Page
Modify /usr/local/nagiosxi/html/includes/components/nagiosbpi/index.php by removing Medium, Low, Hostgroup & Server group tabs.  Change High Priority to System Groups and change hover text to Server Groups.

[scottwilkerson]

The authorization must be coming back from your AD server as OK when being passed the username and blank password.

If you turn off AD auth in XI can the user still login with a blank password?

[dc7772000]

It looks like it's something in the LDAP Authentication component that is causing the problem. The really odd thing is a user created in nagios with no credentials in AD or in the OS can log in with no password when this component is enabled. Anyway, thanks for your help.