[ZBX-21376] auto-login can't be disabled system wide Created: 2022 Jul 21 Updated: 2024 Feb 23 |
|
| Status: | Confirmed |
| Project: | ZABBIX BUGS AND ISSUES |
| Component/s: | Server (S) |
| Affects Version/s: | 6.0.6 |
| Fix Version/s: | None |
| Type: | Problem report | Priority: | Trivial |
| Reporter: | Djerk Geurts | Assignee: | Zabbix Development Team |
| Resolution: | Unresolved | Votes: | 2 |
| Labels: | LDAP, authentication, login, security | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Ubuntu 20.04 LTS |
||
| Issue Links: |
|
||||
| Description |
|
Steps to reproduce:
Result: |
| Comments |
| Comment by Antons Sincovs [ 2022 Aug 12 ] |
|
As a workaround - an SQL query can be used. For MySQL backend: Here is how you can check which users have auto-login enabled in their profiles: For Zabbix 5.0 SELECT ALIAS AS "User name", CASE autologin WHEN 1 THEN "Enabled" WHEN 0 THEN "Disabled" END AS "Autologin setting" FROM users; For Zabbix 6.0 SELECT username AS "User name", CASE autologin WHEN 1 THEN "Enabled" WHEN 0 THEN "Disabled" END AS "Autologin setting" FROM users; And this is the query on how to disable "auto-login" for all users (both 5.0 and 6.0, MySQL and PostgreSQL): UPDATE users SET autologin=0; |
| Comment by Djerk Geurts [ 2022 Aug 12 ] |
|
Will this block users from enabling it on their accounts? |
| Comment by Antons Sincovs [ 2022 Aug 12 ] |
No, it will just set it to disabled for all users. |
| Comment by Antons Sincovs [ 2022 Aug 12 ] |
|
If you would like to uncheck the "Remember me for 30 days" option which is checked by default, comment out the line:
->setChecked($data['autologin'])
to
// ->setChecked($data['autologin'])
In the "/usr/share/zabbix/include/views/general.login.php" Remember, that when performing upgrade to any major/minor version - this customization will not be preserved. |
| Comment by Djerk Geurts [ 2022 Oct 08 ] |
Thank you for the suggestion. It's unfortunate that these things aren't configurable in a way that survives upgrades. I'm not sure the guys doing the upgrades will remember to implement code changes like these. |
| Comment by Djerk Geurts [ 2022 Oct 08 ] |
|
Wouldn't it be better to comment out the option entirely? // ->addItem( // (new CCheckBox('autologin')) // ->setLabel(_('Remember me for 30 days')) // ->setChecked($data['autologin']) // ) |
| Comment by Djerk Geurts [ 2024 Feb 23 ] |
|
Has anything regarding this changed since v6.0? |
| Comment by Djerk Geurts [ 2024 Feb 23 ] |
|
How could one disable the option under user settings? Removing the option on login doesn't disable the option in a user's own profile. |
| Comment by Djerk Geurts [ 2024 Feb 23 ] |
|
The following edit removes the auto-login option from the user profile page: /usr/share/zabbix/app/views/administration.user.edit.php // $user_form_list->addRow(_('Auto-login'), // (new CCheckBox('autologin')) // ->setUncheckedValue('0') // ->setChecked($data['autologin']) // ); |
| Comment by Djerk Geurts [ 2024 Feb 23 ] |
|
Of course, this would not be needed if Zabbix checked the user status in LDAP when a user reconnects. I'm unaware of this, so please enlighten me if my assumption is wrong. |