![[Note]](/media/com_docimport/admonition/note.png) | Note |
|---|---|
|
This only applies to Akeeba Solo (standalone). Akeeba Backup uses the native user management of the site it runs inside. |
As you know, Akeeba Solo needs you to log in with a username and password to use it. These are called user accounts, or "users" for short. Each user can have different privileges. This allows you, for example, to have one user which can only take backups but not view or modify the configuration settings. This can come in handy when you want to task someone else with taking and managing backups, but only you have the required access privileges to perform a full configuration of Akeeba Solo. All of this can be performed in the User manager page.
The User manager page
At the top of the page you can find three buttons. will let you create a new user. lets you edit the selected user. You can select a user by checking the checkbox to its left. Please note that if you have selected multiple users only one of them will be edited (which one depends on the sorting of the page and the IDs of the selected users). The button will remove all selected users. This action is irreversible. If you accidentally delete all users and can no longer log in to Akeeba Solo you will need to create a new super user.
Below that you can see the headers of the table. Clicking on one of the headers will sort the table by this field. Clicking on it again will change the sort order between ascending and descending. The field currently used for sorting is denoted by the small triangle next to its name. The direction of the arrow tells you if the sort order is ascending or descending.
Immediately below you will find the display filters. Entering something here will filter the displayed data to include records that match your filters. For example, you can enter a partial username in the Username filter field to only display users which have that text in their username.
Clicking on any field of each row will open the Edit page, without having to select it and click on the button.
The User editor page
The user editor page is displayed when you are creating a new user or editing an existing one. At the top of the page you can see two buttons. will save your settings and return you to the user manager page. will abort all changes and return you to the user manager page.
You can set up the following fields:
- Username
-
The username of this user. It's best to use only lower and upper case unaccented characters a-z, numbers 0-9, dashes and underscores. Other characters may not work on all servers.
- Password
-
If you are creating a new user, you must enter the password. You cannot have a user with a blank password. It's best to use only lower and upper case unaccented characters a-z, numbers 0-9, dashes and underscores. Other characters may not work on all servers. If you are editing an existing user you don't have to enter a password here unless you wish to change the user's password.
Please remember that passwords are case sensitive. ABC, Abc and abc are three different passwords.
- Repeat password
-
If you had to enter a password above please repeat it here.
-
Enter the email address associated with this user. Each email address can be associated with only one user; you can't use the same email address on more than one users.
- Full name
-
Enter the full name of the user. This is only for your reference.
- Permissions
-
Choose the permissions of the user:
-
Take backups. Allows the user to take and manage backups.
-
Configure. Allows the user to modify the system and backup profile configuration. Users with this permission activated are called Super Users because they have the rights to create, delete and modify users in the system.
-
Download backups. Allows the user to download backups from the Manage Backups page.
-
Below that you can find the Two Factor Authentication setup options. This is an optional feature. For more information on what it does and how to enable it please consult the Two Factor Authentication section further below.
If you have forgot your user's password, or accidentally deleted it or modified its permissions and can no longer log in to Akeeba Solo do not worry. There are two alternative solutions.
1. Doing a partial
reinstall. First rename the file
Solo/assets/private/config.php to
Solo/assets/private/config.php.bak Now just
try accessing Solo again. You will see the web installer. Go
through it completely, as if you were installing Solo for the
first time. Don't worry, your backups will not be lost. Remember
to use the same database connection information as your existing
Solo installation and the same username as the user you forgot the
password for / modified their privileges. After it's finished,
rename the config.php.bak file back to
config.php and try logging in to Akeeba Solo
again.
2. Resetting the password through the database. This is for more advanced users. Using your favourite database editor (e.g. phpMyAdmin) find the table whose name ends in _ak_users. Check the username column to find your user account's record. Change its password column to:
$2y$10$.I8mh9ozEUOyYTWEoZIu9egiUYSqmcUCV5RQ94YdQh.iRqSS2Ijh6
You can now log in using your username and the password changeme (all lowercase, no spaces).
If this didn't work, which is very possible on PHP versions 5.3.9 or earlier, please change the password column to:
MD5:27a7c51de96d731899dc84bb4b9bd521:emergency
and try logging in using your username and the password changeme (all lowercase, no spaces). If both fail please follow the first method.
Accessing Akeeba Solo, like all web applications, requires you to login with a username and password. The major drawback with a username and password is that they are usually left unchanged for a long period of time and impersonal. If someone can guess or steal them they can log in to the Akeeba Solo application and gain access to your backups.
Malicious actors ("hackers") actively try to do that by using software which attempts combinations of common and predictable usernames and passwords, checking if the guess was correct. This is called "brute forcing". It's a lengthy process but very often successful. On top of that, accessing the login over an untrusted network such as the open Wi-Fi network of a cafe, an airport, a library or your neighbour makes it possible for "man-in-the-middle attacks", i.e. someone listening in to your connection to the server, allowing them to steal your username and password.
The solution to this problem is Two Factor Authentication (TFA). Its name springs from the fact that in order to log in you need something you know (username and password) and something you have. This last bit makes all the difference. On top of your username and password you also need to enter a secret code that changes all the time. The proper term for this secret code is OTP which stands for One Time Password. This is generated by something you own, be it your smartphone or a dedicated hardware token.
If you have ever used e-banking you may already be familiar with Two Factor Authentication and OTPs. The chances are that your bank has given you a small device that usually looks like a key fob with a button and a small screen. When you press the button a six digit code appears and you have to type it in to the e-banking site to make a transaction. Press the button again, a new number appears. Several variations of this principle exist. For example some banks will send you this code as a text message (SMS). All of these codes are OTPs and all these methods are Two Factor Authentication.
Akeeba Solo provides you with the same sophisticated Two Factor Authentication technology that your bank is using, with or without a dedicated hardware device. At the end of the day you will have an extremely hard to compromise backup system that you can rely on. So, even though two factor authentication is an optional feature we strongly advise you to enable it for increased security of your Akeeba Solo installation.
One Time Emergency Codes and recovering access
The biggest worry when you are using two factor authentication is what happens should you misplace your two factor authentication device or if it somehow gets corrupt, broken or inoperable. You would reasonably assume that you'd be locked out of your Akeeba Solo installation. This is where the One Time Emergency Codes come into play.
![[Tip]](/media/com_docimport/admonition/tip.png) | Tip |
|---|---|
|
You can see the One Time Emergency Codes for a user account which has TFA already enabled when you try to edit that user account. |
After enabling two factor authentication on a user account, edit it again. Now the TFA area has been replaced with a list of one to ten One Time Emergency Codes. Print this list and keep it in a safe place, e.g. your wallet. If you can't use your TFA device to generate a security code use one of these emergency codes and cross it off the list. After using a code just once it will no longer work. That's why they are called "one time". After logging in to Akeeba Solo remember to edit your user account and disable the two factor authentication.
If you run out of emergency codes you will no longer be able to log in to your Akeeba Solo installation should your TFA device be inaccessible for any reason. If you use up all your emergency codes disable the TFA, save the user account and then re-enable the TFA. A new set of codes will be generated for you. Remember to print out the new set of codes!
This is the most typical Two Factor Authentication method. On top of your username and password you have to enter a six-digit code which changes every 30 seconds. This code is generated by your smartphone using the Google Authenticator application which is available free of charge from Google by visiting http://m.google.com/authenticator from your mobile device. If you do not have a compatible smartphone or you do not want to use Google Authenticator you can use any application compatible with RFC 6238. You can find links to some of them, including applications for Windows Phone, in Wikipedia. The rest of this chapter assumes that you are using the Google Authenticator application.
In order to enable it you have to go to the User Manager
page and click on your user account. Towards the bottom of the
page you will see the Two Factor Authentication
method drop-down. Select Google
Authenticator. A new pane opens below.
The easiest way to set up your Google Authenticator application is using the QR code (two dimensional barcode) displayed on the page. Open Google Authenticator on your smartphone and choose to add a new account. When it asks you how you want to add it, choose the option to scan a barcode. Point your camera to your screen trying to put the QR code in the middle of the viewfinder, filling most of it with the contents of the QR code. You will see the account being added to Google Authenticator right away.
Now scroll a little further down the page. There is the Security Code text box. Type in the six digit code provided by Google Authenticator on your smartphone, then scroll all the way up and click on the button.
Next, we need to verify that Google Authenticator was
enabled on your user account. Click on your user again. You
should see that under the Two Factor Authentication
method drop-down the Google
Authenticator option is selected. If not, please check
the following:
-
Is your server's clock set up correctly? There should be a time drift of no more than 10 seconds. We recommend synchronising the clock with a network time server for best results. Most servers do that automatically.
-
Is your smartphone's clock set up correctly? There should be a time drift of no more than 10 seconds. We recommend synchronising the clock with a network time server for best results. Most smartphones do that automatically.
-
Is your server timezone set correctly in your server's
php.inior Akeeba Solo's system configuration? If you choose the wrong timezone it is possible that you get a time drift of several hours, making authentication with Google Authenticator impossible.
This is the easiest Two Factor Authentication method, using a hardware token that is connected directly to your device using a USB port or NFC communications. You can find more about the different editions of YubiKey in YubiCo's site. Using this method, on top of your username and password you will have to connect the YubiKey hardware token to your computer via USB or NFC and touch its button. This will create a one-time, cryptographically secure code which will be validated against YubiCo's servers for authenticity. The hardware tokens cost about $20 apiece and are extremely rugged. You can even use them with mobile devices either directly (if you have a YubiKey Neo and a mobile device which supports NFC communications) or using a USB connector. We have successfully used YubiKey on iOS using the Apple Camera Adapter –the one with the female USB port– and on Android using a USB OTG adapter cable. The rest of these instructions assume that you are using a YubiKey Standard on a regular desktop/laptop.
In order to enable it you have to go to the User Manager
page and click on your user account. Towards the bottom of the
page you will see the Two Factor Authentication
method drop-down. Select YubiKey. A
new pane opens below.
Scroll a little further down the page. There is the Security Code text box. Connect your YubiKey to your computer's USB port. Once the green LED light is stable touch the golden button for about 1 second. A long code is automatically typed into this box. Now scroll all the way up and click on the button.
Next up, we need to verify that YubiKey two factor
authentication was enabled on your user account. Click on your
user again. You should see that under the Two Factor
Authentication method drop-down the
YubiKey option is selected. If not, please
check the following:
-
Do you have a server firewall? If you do, you need to enable TCP/IP communications over ports 80 and 443 to api.yubico.com, api2.yubico.com, api3.yubico.com, api4.yubico.com and api5.yubico.com
-
Do you have URL fopen() wrappers enabled in your php.ini or the PHP cURL module enabled? You need either of these for YubiKey authentication to work.
-
Is your computer's clock set up correctly? There should be a time drift of no more than 10 seconds. We recommend synchronising the clock with a network time server for best results.
-
Can you verify your YubiKey against YubiCo's test page? If not, you will have to use the YubiKey Personalisation Tools to reconfigure your YubiKey.