HTTP AUTH no longer working following upgrade

[MJN]

FIrstly, apologies for the 3rd consecutive post following my upgrade from v1.32.2 to v1.34.5 - they are not intended to be gripes, or at least not at ZoneMinder anyway!

For years now (just gone 13!) I've been using HTTP basic authentication (sent through HTTPS) with Zoneminder and only now following the upgrade has it stopped working. Specifically, it appears to be causing an infinite redirect on login such that I can't access the system. Chrome reports 'ERR_TOO_MANY_REDIRECTS' and Firefox something more ambiguous but enabling the network developer tool shows mutliple redirects too.

My Apache config is the default /etc/apache2/conf-available/zoneminder.conf file supplied with the package (installed via iconnor's PPA) with the addition of the following simple config added to the <Directory /usr/share/zoneminder/www> directive:

Code: Select all

AuthType Basic
AuthName "ZoneMinder - Unauthorised Access Prohibited"
AuthUserFile /home/mathew/NewtonNet/zmhtpasswds 
Require valid-user

The relevant (or what I assume to be relevant) ZoneMinder config options are:

Screenshot from 2020-03-04 22-55-10.png (50.72 KiB) Viewed 9738 times

If I disable HTTP authentication I am presented with the ZoneMinder authentication screen (which I've never seen before) and I can login fine.

I don't expect anyone to debug what I can only assume is any issue with my own configuration, but if anything jumps out I would be ever so grateful for it being pointed out. I have been randomly trying different ZoneMinder options without success but I am stabbing in the dark with this strategy.

[rockedge]

have you worked with AUTH_TYPE set to builtin?
set AUTH_RELAY to hashed and supply a string for AUTH_HASH_SECRET

remove the block

Code: Select all

AuthType Basic
AuthName "ZoneMinder - Unauthorised Access Prohibited"
AuthUserFile /home/mathew/NewtonNet/zmhtpasswds 
Require valid-user

test and see if that works better.

otherwise the login screen should not appear using HTTP basic authentication I don't think.

[MJN]

have you worked with AUTH_TYPE set to builtin?
set AUTH_RELAY to hashed and supply a string for AUTH_HASH_SECRET

remove the block

Code: Select all

AuthType Basic
AuthName "ZoneMinder - Unauthorised Access Prohibited"
AuthUserFile /home/mathew/NewtonNet/zmhtpasswds 
Require valid-user

test and see if that works better.

Thanks for your thoughts on this.

With the configuration as advised, I can log in (via ZoneMinder's own login screen). But my issue is I want to use HTTP basic authentication as I have various other rudimentary clients pulling streams from Zoneminder that can handle HTTP AUTH but seemingly not interface with Zoneminder's built-in authentication. I could of course revert back to v1.32.3 but obviously I'd rather not do that.

otherwise the login screen should not appear using HTTP basic authentication I don't think.

Indeed, and it doesn't with the AUTH-TYPE set to remote. More specifically, it never used to - now I can't get anything to appear when HTTP auth is enabled in Apache because of the endless redirects.

[rockedge]

I understand why you would like it to remain with basic auth.

you are on version 1.34+ correct? have you also enabled Options->System->OPT_USE_LEGACY_API_AUTH ?

I don't think that is it though.

[asker]

Yeah, I think basic auth is completely broken in 1.34. Isaac mentioned it in slack yesterday. I don't use it, but he might be looking into fixing it now (if he hasn't fixed it already)

[MJN]

I understand why you would like it to remain with basic auth.

It always felt quite simple for me, and I've always been confident in its use (when used within HTTPS).

As a temporary workaround I have disabled OPT_USE_AUTH in ZoneMinder and reenabled HTTP AUTH in Apache. This gives me the access control I require, albeit without the ability to control what individual users can do within ZoneMinder. Truth be told that could be an acceptable long-term solution for me as there is only me that accesses it and I'd only set up different users to limit what certain 3rd party devices could access (including my homemade Internet-enable cat feeder of all things!).

you are on version 1.34+ correct? have you also enabled Options->System->OPT_USE_LEGACY_API_AUTH ?

I don't think that is it though.

Worth asking though but, yes, I've tried with that enabled (I think it's the default judging by the explanatory text).

[MJN]

Yeah, I think basic auth is completely broken in 1.34. Isaac mentioned it in slack yesterday. I don't use it, but he might be looking into fixing it now (if he hasn't fixed it already)

Ah, okay! That's actually good news (for me) because I was at a complete loss as to how my Apache config could've been incompatible and no longer giving the intended result. Dare I say it but I even thought 'if I can't get this working I might need to look elsewhere'! As mentioned, I've been using Zoneminder for 13 years now (since 2007) and so it would be with some regret if that ended up being the case.

As mentioned above I've disabled OPT_USE_AUTH and then may well prove to be perfectly acceptable for my requirements with just HTTP AUTH being used to control access (to my Zoneminder installation as a whole rather than restricting access to particular cameras and features).

[MJN]

Aaagh... just discovered someone has already filed a bug here. Apologies for all the noise here.

[iconnor]

I believe I have it fixed in master, will be in 1.34.6.

Lots of interesting considerations though. There may be further work to do here.

[STORTZ]

Again, followed the ZoneMinder destructions and had an issue logging in once I enabled authentication in step two of this painful setup lol..

I did exactly what the instructions said, and boom, couldn't log in with the suggested admin/admin default credentials..

So I updated the creds manually in the database to save me time of an entire reinstall..

Is this the recommended way, probably not. Does it work, yes!

I did the following:

#mysql -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 72
Server version: 5.5.68-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

#MariaDB [(none)]> use zm;
Database changed

#MariaDB [zm]> update Users set Password="yournewfancypasswordthatwillwork" where Username="admin";
Query OK, 1 row affected (0.00 sec)

[sname5978]

You sure Basic Auth is the issue? Had a customer recently where an application using EWS stopped working and it was because it was using an older TLS version which MS is phasing out
momix




indigocard.com activate