You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 26 Next »

Table of Contents

Logging In For the First Time

After installation is complete, the initial login occurs automatically. To log in subsequently, visit http://www.yourdomain.com/[installation_directory]/admin/login or http://www.yourdomain.com/[installation_directory]/index.php/admin/login and enter the username and password specified during installation. The URL is determined whether the .htaccess file that ships with Blesta is present. If mod_rewrite is not supported by the webserver, it must be deleted and the URL with "index.php" specified must be used.

If your hosting provider installed Blesta for you, or provided a VM image to do so, and you did not specify a username and password, they may have already set up a login for you. If the system is installed, and a login has not yet been created, accessing the login page will prompt you to create one. Review their documentation, or contact them to determine what you should use to login if you are prompted.

Configuring Two-Factor Authentication

Two-Factor authentication is highly recommended as a security precaution against unauthorized access to your account. Blesta supports both MOTP and TOTP. The following mobile applications are recommended for Android and iOS, respectively, and many others are supported as well.

For Android
  1. Android Token - http://code.google.com/p/androidtoken/
  2. Google Authenticator - https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en
For iOS (iPhone, iPad)
  1. OATH Token - http://itunes.apple.com/us/app/oath-token/id364017137?mt=8
  2. Google Authenticator - https://itunes.apple.com/us/app/google-authenticator/id388497605?mt=8

Google Authenticator

As of Blesta 3.1, a QR code may be scanned from Google Authenticator to set it up. If you are running an earlier version of Blesta, continue reading.

Using Google Authenticator with Blesta is pretty straight forward, but requires a little manipulation to get the key in the correct format. Blesta expects TOTP keys to be in hexadecimal format (base16), but Google Authenticator uses base32. So we have to convert our Google Authenticator keys into hexadecimal before storing in Blesta.

There are a number of online utilities to perform this operation. Here’s one:http://www.darkfader.net/toolbox/convert/.

As an example, “PEHMPSDNLXIOG65U” (in base32) becomes “790ec7c86d5dd0e37bb4″ in hexadecimal. Simply select Time-based One Time Password as the two factor authentication method in Blesta then enter the converted (hexdecimal) value and you’re good to go.

For YubiKey
  1. For instructions on setting up your YubiKey to generate TOTP tokens visit http://www.yubico.com/totp
  2. If you follow the instructions provided by yubico you will need to convert your Google secret key from base32 into hexadecimal (base16) format before adding it to Blesta. Instructions on doing that are provided in the note above.

 

To set up Two-Factor Authentication, visit the "My Info" link at the top of any staff page.

If you have access to add additional Staff, you can set up Two-Factor Authentication at account creation under [Settings] > [System Settings] > Staff.

Resetting a Password

Clients and Staff members may request to reset their password from their respective log in screens by clicking the Reset Password link. Users are then asked to enter their username, and, if a match is found, an email with a temporarily link is sent to the address on file. Clicking the link will take the user to a page that will allow them to enter a new password.

By default Blesta will display a success message for all reset requests, regardless of whether or not a match is found. This is a security measure designed not to reveal information about users that may or may not exist within the system. You can disable this feature by modifying the Blesta.default_password_reset_value Configuration Files value.

The length of time that the reset password link is active for is controlled by the Blesta.reset_password_ttl Configuration value.

Logging in From Another Page as a Client

By default, clients log in at /client/login. Blesta makes use of CSRF tokens by default, so logging in directly from another page will not work by default. To get around this restriction it's necessary to edit your config/blesta.php config file to add an exception. Back up, and then open config/blesta.php in a UTF-8 friendly text editor. Look for this line:

Configure::set("Blesta.csrf_bypass", array());

Change it to:

Configure::set("Blesta.csrf_bypass", array('client_login::index'));
  • No labels