Facebook
Twitter
pleskuser67553
Basic Pleskian
Username:
TITLE
Event 'CP User Login' triggered despite invalid additional authentication step (MFA)
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE
Version 18.0.60 Update #1, AlmaLinux 8.9, Intel Xeon Processor (Skylake, IBRS) (2 core(s))
PROBLEM DESCRIPTION
In Tools & Settings > Tools & Resources > Event Manager, using the event 'Plesk user logged in', and in Tools & Settings > Plesk > Action Log, the CP User Login event is triggered when using a correct username and password, irrespective of additional authentication steps, for example a required TOTP code in Plesk's Google Authenticator extension. Furthermore, in this case, when the user fails to enter the correct TOTP code and clicks Cancel, a logout event is triggered.
This gives the false impression of a successful login, logout of the Plesk UI when the login was blocked by the Google Authenticator extension.
A valid username and password but invalid TOTP code in Google Authenticator extension does not trigger a 'Plesk user failed to log in' event or 'CP User Login Attempt Failed' in Action Log.
STEPS TO REPRODUCE
Ensure Plesk's own Google Authenticator extension is installed and configured.
Ensure Plesk's own Action Log extension is installed.
In Event Manager set up a command for 'Plesk user logged in' - such as a script to email when a successful login occurs, e,g. Resolved - Event Manager - Plesk user logged in not firing
Test a successful log in to the Plesk UI.
Note the time.
Observe that the Event Manager triggered and executed your command.
Observe that 'CP User Login' appears in Action Log matching the login time and 'Contact Name'
Log out.
Note the time. Wait a minute or two.
Now log in with the same valid username and password. When prompted for a Google Authenticator code, put in a invalid code and observe the UI saying the code is not valid.
Click Cancel.
Note the time. Wait a minute or two.
Now log in with all the correct credentials.
Observe that the Event Manager triggered and executed your command for 'Plesk user logged in' at the time of the failed TOTP code input (this may be matched via the time stamp of an email, for example). Or search cp_user_login in Log Browser > System
Observe that 'CP User Login' appears in Action Log matching the login time and 'Contact Name' at the time just before the failed TOTP code was entered.
Observe that 'CP User Logout' appears in Action Log matching the time and 'Contact Name' at the time when the cancel button was clicked.
ACTUAL RESULT
The CP User Login or CP User Login Attempt Failed events appear to be triggered immediately after the Log in button is clicked on the Username and Password prompt, irrespective of possible additional required authentication steps, such as Plesk's Google Authenticator extension.
The CP User Login event is triggered after a valid username and password followed by invalid required additional authentication, such as Plesk's Google Authenticator extension.
Note that the user who fails the additional authentication step remains 'logged in' until the Cancel button is clicked. So if they close the browser tab or navigate away, only a session timeout will 'log out' the user.
To a system admin, successful and unsuccessful logins can appear as CP User Login in the Action Log. A failed TOTP that times out can look like a long successful login.
EXPECTED RESULT
CP User Login is only triggered after all authentication steps are satisfied.
CP User Login Attempt Failed is triggered when any authentication step fails.
Basic Username and Password prompt is one authentication step, Google Authenticator TOTP code is a second authentication step, and so on.
Or, provide additional events to log success or failure of additional authentication steps.
ANY ADDITIONAL INFORMATION
(DID NOT ANSWER QUESTION)
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM
Confirm bug
TITLE
Event 'CP User Login' triggered despite invalid additional authentication step (MFA)
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE
Version 18.0.60 Update #1, AlmaLinux 8.9, Intel Xeon Processor (Skylake, IBRS) (2 core(s))
PROBLEM DESCRIPTION
In Tools & Settings > Tools & Resources > Event Manager, using the event 'Plesk user logged in', and in Tools & Settings > Plesk > Action Log, the CP User Login event is triggered when using a correct username and password, irrespective of additional authentication steps, for example a required TOTP code in Plesk's Google Authenticator extension. Furthermore, in this case, when the user fails to enter the correct TOTP code and clicks Cancel, a logout event is triggered.
This gives the false impression of a successful login, logout of the Plesk UI when the login was blocked by the Google Authenticator extension.
A valid username and password but invalid TOTP code in Google Authenticator extension does not trigger a 'Plesk user failed to log in' event or 'CP User Login Attempt Failed' in Action Log.
STEPS TO REPRODUCE
Ensure Plesk's own Google Authenticator extension is installed and configured.
Ensure Plesk's own Action Log extension is installed.
In Event Manager set up a command for 'Plesk user logged in' - such as a script to email when a successful login occurs, e,g. Resolved - Event Manager - Plesk user logged in not firing
Test a successful log in to the Plesk UI.
Note the time.
Observe that the Event Manager triggered and executed your command.
Observe that 'CP User Login' appears in Action Log matching the login time and 'Contact Name'
Log out.
Note the time. Wait a minute or two.
Now log in with the same valid username and password. When prompted for a Google Authenticator code, put in a invalid code and observe the UI saying the code is not valid.
Click Cancel.
Note the time. Wait a minute or two.
Now log in with all the correct credentials.
Observe that the Event Manager triggered and executed your command for 'Plesk user logged in' at the time of the failed TOTP code input (this may be matched via the time stamp of an email, for example). Or search cp_user_login in Log Browser > System
Observe that 'CP User Login' appears in Action Log matching the login time and 'Contact Name' at the time just before the failed TOTP code was entered.
Observe that 'CP User Logout' appears in Action Log matching the time and 'Contact Name' at the time when the cancel button was clicked.
ACTUAL RESULT
The CP User Login or CP User Login Attempt Failed events appear to be triggered immediately after the Log in button is clicked on the Username and Password prompt, irrespective of possible additional required authentication steps, such as Plesk's Google Authenticator extension.
The CP User Login event is triggered after a valid username and password followed by invalid required additional authentication, such as Plesk's Google Authenticator extension.
Note that the user who fails the additional authentication step remains 'logged in' until the Cancel button is clicked. So if they close the browser tab or navigate away, only a session timeout will 'log out' the user.
To a system admin, successful and unsuccessful logins can appear as CP User Login in the Action Log. A failed TOTP that times out can look like a long successful login.
EXPECTED RESULT
CP User Login is only triggered after all authentication steps are satisfied.
CP User Login Attempt Failed is triggered when any authentication step fails.
Basic Username and Password prompt is one authentication step, Google Authenticator TOTP code is a second authentication step, and so on.
Or, provide additional events to log success or failure of additional authentication steps.
ANY ADDITIONAL INFORMATION
(DID NOT ANSWER QUESTION)
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM
Confirm bug
