Skip to content

Unable to log into Admin after clean install (without SMTP) #29312

New issue
New issue
Closed
Closed
Unable to log into Admin after clean install (without SMTP)#29312
Labels
Issue: ready for confirmationReported on 2.4.0Indicates original Magento version for the Issue report.stale issue
@DigitalStartupUK

Description

@DigitalStartupUK
DigitalStartupUK
opened on Jul 28, 2020 · edited by DigitalStartupUK

Preconditions (*)

  1. Apache 2.4
  2. PHP 7.4
  3. MySQL 8
  4. Elasticsearch 7
  5. Magento 2.4.0

Steps to reproduce (*)

  1. Clean install of Magento 2.4 (via composer)
  2. Creation of admin account via CLI (part of setup:install command)

Expected result (*)

  1. Logging into Magento 2.4 for the first time allows immediate Google 2FA setup

Actual result (*)

  1. Logging into Admin for the first time presents a warning "Failed to send the message. Please contact the administrator. You need to configure Two-Factor Authorization in order to proceed to your store's admin area An E-mail was sent to you with further instructions". An email is required to complete 2FA. Without an SMTP enabled server, there is no way of retrieving the link to complete 2FA.

Failed without SMTP enabled

Please provide Severity assessment for the Issue as Reporter. This information will help during Confirmation and Issue triage processes.

  • Severity: S0 - Affects critical data or functionality and leaves users without workaround.
    Severity: S1 - Affects critical data or functionality and forces users to employ a workaround.
    Severity: S2 - Affects non-critical data or functionality and forces users to employ a workaround.
    Severity: S3 - Affects non-critical data or functionality and does not force users to employ a workaround.
    Severity: S4 - Affects aesthetics, professional look and feel, “quality” or “usability”.

If an SMTP enabled server is required to send a 2FA link to allow for an Admin to complete a first time login, then I feel this should be added as a prerequisite

However, if there is a way to get to the 2FA QR page without the need to receive an email then this should be documented more clearly.

I am aware of the Two-Factor Authentication (MFTF) documentation. Stating that you could bypass this by creating a "Base32-encoded string for the shared secret value" and then "Use the following key to add the encoded value to the MFTF .credentials file."

However, the documentation doesn't provide enough details on the requirements to do this. It also insinuates that this procedure is preferable for a Testing environment and not Development/Production.

If it turns out that these MFTF steps are considered "safe" to complete in a Development/Product environment then it would definately improve QoL if these variables could be set through the bin/magento setup:install values as stated in the Install the Magento software Documentation.

Activity

m2-assistant

m2-assistant commented on Jul 28, 2020

@m2-assistant
m2-assistantbot
on Jul 28, 2020

Hi @DigitalStartupUK. Thank you for your report.
To help us process this issue please make sure that you provided the following information:

  • Summary of the issue
  • Information on your environment
  • Steps to reproduce
  • Expected and actual results

Please make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce. To deploy vanilla Magento instance on our environment, please, add a comment to the issue:

@magento give me 2.4-develop instance - upcoming 2.4.x release

For more details, please, review the Magento Contributor Assistant documentation.

Please, add a comment to assign the issue: @magento I am working on this

⚠️ According to the Magento Contribution requirements, all issues must go through the Community Contributions Triage process. Community Contributions Triage is a public meeting.

🕙 You can find the schedule on the Magento Community Calendar page.

📞 The triage of issues happens in the queue order. If you want to speed up the delivery of your contribution, please join the Community Contributions Triage session to discuss the appropriate ticket.

🎥 You can find the recording of the previous Community Contributions Triage on the Magento Youtube Channel

✏️ Feel free to post questions/proposals/feedback related to the Community Contributions Triage process to the corresponding Slack Channel

magento-engcom-team
added
Issue: Format is validGate 1 Passed. Automatic verification of issue format passed
on Jul 28, 2020
ghost added
Progress: ready for QA
on Jul 28, 2020
speedupmate

speedupmate commented on Jul 29, 2020

@speedupmate
speedupmate
on Jul 29, 2020
Contributor

It's not directly related as this issue talks that smtp should be a documented requirement but current workaround for dev environments (that don't need to have smtp set up) is simply to disable 2fa

bin/magento mo:di Magento_TwoFactorAuth

DigitalStartupUK

DigitalStartupUK commented on Jul 29, 2020

@DigitalStartupUK
DigitalStartupUK
on Jul 29, 2020 · edited by DigitalStartupUK
Author

But at some point, 2FA needs to be enabled during Development/Production. And there is probably an argument that states "well, surely in a Development/Production environment you would have an SMTP enabled server." But speaking from experience, myself and many others use 3rd party SMTP providers - Which are normally configured in the Admin Backend. It just seems like a really overlooked part of the installation/setup process. What's the point of enforcing 2FA on installation to only immediately disable it?

I'd simply prefer a simple CLI config:set command to generate the same URL that gets sent in the Email. Or even better, have the URL output with the Admin Backend URL notification that you see on successful install.

Post installation file permissions check...
For security, remove write permissions from these directories: '/var/www/html/magento2/app/etc'
[Progress: 274 / 274]
[SUCCESS]: Magento installation complete.
[SUCCESS]: Admin Panel URI: /admin_puu71q
[SUCCESS]: Complete Admin 2FA URI: http://example.com/tfa/example...

I'm trying not to sound negative and whiny, but this lack of clarity is frustrating.

GitSteeve

GitSteeve commented on Jul 29, 2020

@GitSteeve
GitSteeve
on Jul 29, 2020

Hi, i'am exactly on the same point ... same error, same step ... i will try another solution

PawelP1977

PawelP1977 commented on Jul 29, 2020

@PawelP1977
PawelP1977
on Jul 29, 2020

Hi,
What is another solution?

MichaelThessel

MichaelThessel commented on Aug 6, 2020

@MichaelThessel
MichaelThessel
on Aug 6, 2020 · edited by MichaelThessel

What a nightmare. Same issue here. This is the first time I encountered a 2fa setup situation that requires email. Usually you log into admin, enable 2fa and then set up the token logged into admin.

MichaelThessel

MichaelThessel commented on Aug 6, 2020

@MichaelThessel
MichaelThessel
on Aug 6, 2020

In case anyone needs a temporary workaround to get this working without having SMTP set up:

  1. navigate to /admin and log in
  2. you should see the 2FA screen now
  3. add var_dump($url);die; on line 86 in vendor/magento/module-two-factor-auth/Model/EmailUserNotifier.php
  4. refresh /admin
  5. copy the URL that is displayed
  6. remove the var_dump
  7. use the URL copied earlier to navigate to the 2FA setup
isaacBats

isaacBats commented on Aug 6, 2020

@isaacBats
isaacBats
on Aug 6, 2020

A great Magento MX developer has created a module to disable double authentication.
This is the repo Module_EnableDisableTFA.
You can also install it from composer composer require wolfsellers/module-enabledisabletfa

by @Rus0

sudhanshu-bajaj

sudhanshu-bajaj commented on Aug 7, 2020

@sudhanshu-bajaj
sudhanshu-bajaj
on Aug 7, 2020
Contributor

Temporary solution to kick start your development, just disable Magento_TwoFactorAuth module. It worked for me.

bin/magento module:disable Magento_TwoFactorAuth

phanku

phanku commented on Aug 11, 2020

@phanku
phanku
on Aug 11, 2020

Great security feature added for that administration login section of Magento however I have also ran into another weird issue that personally has stopped me from being able to set up 2FA on a fresh install. My issue is that magento does not use the domain name set for the outgoing email when sending the email out to set up 2FA on a fresh install instead it sends the email from owner@example.com. I know normally that might not be a big issue but when sending emails from a server on a more security conscious Enterprise network that email may never actually go to the intended target because of the email domain of @example.com.

I have now disabled the Magento_TwoFactorAuth module as described above and have managed to login to the admin interface but I am now in the process of figuring out how to reenable/set up 2FA.

EstebanAorta

EstebanAorta commented on Aug 15, 2020

@EstebanAorta
EstebanAorta
on Aug 15, 2020

Did you get it to work?

w0d4

w0d4 commented on Aug 26, 2020

@w0d4
w0d4
on Aug 26, 2020

I see the same problem. I cannot get 2FA to work, since the mail is sent from owner@example.com
Since I'm working with a more secure mailserver, I cannot sent mails from example.com domain.
I suggest to add a parameter during installation to set the owners E-Mail adress.

m2-community-project
removed
Progress: ready for QA
on Sep 24, 2020
oviliz

oviliz commented on Oct 10, 2020

@oviliz
oviliz
on Oct 10, 2020

Speechless @magento-admin ...

ghost removed
Issue: Format is validGate 1 Passed. Automatic verification of issue format passed
on Oct 21, 2020
ghost added
Issue: ready for confirmation
on Oct 21, 2020
magento-engcom-team
added
Reported on 2.4.0Indicates original Magento version for the Issue report.
on Nov 13, 2020
fj-sfd

fj-sfd commented on Nov 30, 2020

@fj-sfd
fj-sfd
on Nov 30, 2020

Same issue with me while following Installation quick reference (tutorial) from Magento

for now I have disabled module (until I setup SMTP), as suggested by @speedupmate
bin/magento mo:di Magento_TwoFactorAuth

Jieiku

Jieiku commented on Dec 1, 2020

@Jieiku
Jieiku
on Dec 1, 2020 · edited by Jieiku

Dropping this here for anyone having trouble configuring their mail in order to activate the 2FA.
To clarify, you do this on your Magento2 host, not your mail server.
Once finished just log out of Magento2 WebUI, then log back, you should receive the email.
Be sure to replace all occurrences of YourDomain.com with your domain name.

===============================================================================
configure postfix to be able to send mail
===============================================================================
sudo apt install -y mailutils
  (after this first line, sudo is active, can paste entire block below)

echo "${HOSTNAME}.YourDomain.com" | sudo tee /etc/mailname
echo "/.+/ admin@YourDomain.com" | sudo tee /etc/postfix/sender_canonical
echo "/.+/ admin@YourDomain.com" | sudo tee /etc/postfix/recipient_canonical
#echo "/.*root.*/ admin@YourDomain.com" | sudo tee --append /etc/postfix/recipient_canonical
#echo "/.*user2.*/ admin@YourDomain.com" | sudo tee --append /etc/postfix/recipient_canonical
echo "myhostname = ${HOSTNAME}.YourDomain.com" | sudo tee /etc/postfix/main.cf
echo "mydestination = localhost.YourDomain.com, localhost, ${HOSTNAME}" | sudo tee --append /etc/postfix/main.cf
echo "masquerade_domains = YourDomain.com" | sudo tee --append /etc/postfix/main.cf
echo "smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)" | sudo tee --append /etc/postfix/main.cf
echo "sender_canonical_maps = regexp:/etc/postfix/sender_canonical" | sudo tee --append /etc/postfix/main.cf
echo "recipient_canonical_maps = regexp:/etc/postfix/recipient_canonical" | sudo tee --append /etc/postfix/main.cf
echo "biff = no" | sudo tee --append /etc/postfix/main.cf
echo "append_dot_mydomain = no" | sudo tee --append /etc/postfix/main.cf
echo "alias_maps = hash:/etc/aliases" | sudo tee --append /etc/postfix/main.cf
echo "alias_database = hash:/etc/aliases" | sudo tee --append /etc/postfix/main.cf
echo "relayhost =" | sudo tee --append /etc/postfix/main.cf
echo "mynetworks = 127.0.0.0/8" | sudo tee --append /etc/postfix/main.cf
echo "inet_interfaces = loopback-only" | sudo tee --append /etc/postfix/main.cf
echo "recipient_delimiter = +" | sudo tee --append /etc/postfix/main.cf
echo "compatibility_level = 2" | sudo tee --append /etc/postfix/main.cf
echo "myorigin = /etc/mailname" | sudo tee --append /etc/postfix/main.cf
echo "mailbox_size_limit = 0" | sudo tee --append /etc/postfix/main.cf
echo "inet_protocols = ipv4" | sudo tee --append /etc/postfix/main.cf
sudo postmap /etc/postfix/recipient_canonical
sudo postmap /etc/postfix/sender_canonical
sudo systemctl restart postfix
echo "${HOSTNAME} postfix test" | sudo mail -s "${HOSTNAME} Testing postfix configuration" YourName@YourDomain.com
sudo rm -rf /var/mail/root
sleep 1 && sudo postqueue -p

  if it broke, read the error then delete it:
sudo postsuper -d ALL

sudo cat /etc/hosts

In the above block you will see two lines commented out, they are relevant to what is discussed below:
-------------------------------------------
The Regex in /etc/postfix/recipient_canonical can be adjusted
This line takes any and all destinations and changes them to goto admin@YourDomain.com,
mail delivery is guaranteed to work but you cannot send mail to other recipients
Perfectly Fine for Standalone services that ONLY need to mail one address.
-------------------------------------------
/.+/ admin@YourDomain.com

-------------------------------------------
It can be customized to only catch certain recipients such as root, etc:
-------------------------------------------
/.*root.*/ admin@YourDomain.com

For Magento2, you can just comment out the line for recipient_canonical_maps in your /etc/postfix/main.cf after you have 2FA configured.
stale

stale commented on Feb 21, 2021

@stale
stalebot
on Feb 21, 2021

This issue has been automatically marked as stale because it has not had recent activity. It will be closed after 14 days if no further activity occurs. Is this issue still relevant? If so, what is blocking it? Is there anything you can do to help move it forward? Thank you for your contributions!

stale
added
stale issue
on Feb 21, 2021
stale
closed this as completedon Mar 7, 2021
Green2Matter

Green2Matter commented on Oct 12, 2021

@Green2Matter
Green2Matter
on Oct 12, 2021 · edited by Green2Matter

Other workaround (https://devdocs.magento.com/guides/v2.4/security/two-factor-authentication.html):
bin/magento config:set twofactorauth/general/force_providers google
bin/magento config:set twofactorauth/google/otp_window 60
bin/magento security:tfa:google:set-secret <admin_user> <Base32-encoded_string_for_the_shared_secret_value>

Base32: https://emn178.github.io/online-tools/base32_encode.html

hgati

hgati commented on Mar 15, 2023

@hgati
hgati
on Mar 15, 2023

Other workaround (https://devdocs.magento.com/guides/v2.4/security/two-factor-authentication.html): bin/magento config:set twofactorauth/general/force_providers google bin/magento config:set twofactorauth/google/otp_window 60 bin/magento security:tfa:google:set-secret <admin_user> <Base32-encoded_string_for_the_shared_secret_value>

Base32: https://emn178.github.io/online-tools/base32_encode.html

What mean ? <Base32-encoded_string_for_the_shared_secret_value>
Is this mean "encoded_string of <admin_user>" ?

oviliz

oviliz commented on Mar 17, 2023

@oviliz
oviliz
on Mar 17, 2023

@hgati no, the admin username (<admin_user>) is before the shared secret (see the linked Magento doc).
The <Base32-encoded_string_for_the_shared_secret_value> must be the encoded string of a chosen key you create manually in Google Authenticator.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    Issue: ready for confirmationReported on 2.4.0Indicates original Magento version for the Issue report.stale issue

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @oviliz@Jieiku@speedupmate@phanku@MichaelThessel

        Issue actions
          Unable to log into Admin after clean install (without SMTP) · Issue #29312 · magento/magento2