Invalid username or password on login (deprecated crypt package) (python3.13.3 breaking)

nu01 · April 24, 2025, 8:04am

I went through all posts here, tried firewall unban etc, literally everything, even the RSA key deletion, but I keep on getting Invalid username or password after giving the password.
I am unable to enter the CP, no matter what. I can login to SFTP, SSH, and auth log only shows DATE TIME admin IP failed to login
There is nothing in any other logs. All systems are running as well. I even rebooted, but not sure why I cannot login anymore. It was working till Tuesday.

v-check-user-2fa admin tokenhere
Error: Authentication token mismatch.

I deleted the token, qr, and even MD5, but I still cannot login.

MD5=''
RKEY=''
TWOFA=''
QRCODE=''

tail -f /var/log/auth.log

2025-04-24T15:35:01.297443+05:30 cp sudo: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=1004)
2025-04-24T15:35:01.353824+05:30 cp sudo: pam_unix(sudo:session): session closed for user root
2025-04-24T15:35:01.354967+05:30 cp CRON[27310]: pam_unix(cron:session): session closed for user hestiaweb
2025-04-24T15:35:02.057868+05:30 cp sudo: pam_unix(sudo:session): session closed for user root
2025-04-24T15:35:02.058688+05:30 cp CRON[27309]: pam_unix(cron:session): session closed for user hestiaweb
2025-04-24T15:36:01.062394+05:30 cp CRON[27728]: pam_unix(cron:session): session opened for user hestiaweb(uid=1004) by (uid=0)
2025-04-24T15:36:01.069459+05:30 cp sudo: hestiaweb : PWD=/var/spool/cron ; USER=root ; COMMAND=/usr/local/hestia/bin/v-update-sys-queue restart
2025-04-24T15:36:01.070015+05:30 cp sudo: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=1004)
2025-04-24T15:36:01.121808+05:30 cp sudo: pam_unix(sudo:session): session closed for user root
2025-04-24T15:36:01.122833+05:30 cp CRON[27728]: pam_unix(cron:session): session closed for user hestiaweb
2025-04-24T15:38:01.126162+05:30 cp CRON[27779]: pam_unix(cron:session): session opened for user hestiaweb(uid=1004) by (uid=0)
2025-04-24T15:38:01.132346+05:30 cp sudo: hestiaweb : PWD=/var/spool/cron ; USER=root ; COMMAND=/usr/local/hestia/bin/v-update-sys-queue restart
2025-04-24T15:38:01.134254+05:30 cp sudo: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=1004)
2025-04-24T15:38:01.182163+05:30 cp sudo: pam_unix(sudo:session): session closed for user root
2025-04-24T15:38:01.182936+05:30 cp CRON[27779]: pam_unix(cron:session): session closed for user hestiaweb

v-check-user-password admin PWD

Traceback (most recent call last):
  File "<string>", line 1, in <module>
    import crypt, os; print(crypt.crypt(os.getenv("PASS"), os.getenv("SALT")))
    ^^^^^^^^^^^^^^^^
ModuleNotFoundError: No module named 'crypt'
Error: password missmatch

nu01 · April 24, 2025, 11:34am

So I solved it. Seems, I had upgraded to python 3.13.3 which has deprecated crypt package and hestia uses crypt package for hashing passwords.
I removed python3.13.3 & reinstalled 3.11.2 for the time being.
I was able to login.

Update: fail2ban gets uninstalled due to uninstallation of python3.11.*, so had to reinstall it via apt.

eris · April 24, 2025, 11:38am

Make sure to run v-change-user-password so the MD5=‘’ is not empty it will break your login after Hestia updates …

nu01 · April 24, 2025, 11:41am

Yes. I already did that and now will turn on 2FA as well.
Do we know what will we be using with python 3.13.3.
I am just lucky I did not break my system.

eris · April 24, 2025, 12:31pm

Still can’t believe it that Python doesn’t has a suitable solution for Yescrypt…

eris · April 24, 2025, 12:42pm

For the new releases we are hoping to replace the current system and build something new based of Symphony instead

nu01 · April 24, 2025, 12:51pm

So kind of from scratch. Woah, I have to say hats off mate.

Fero · April 27, 2025, 7:27am

@eris
@nu01

Hi All,

So, I am also having the same problem after (apt update & apt upgrade with root)
But when I check python version python3 --version :Python 3.10.12

So obviously this isn’t the case for me. Could any one help, please?

And thanks in advance

UPDATE: NO WORRIES I FIXED IT! BUT THERE IS ANOTHER PROBLEM:

The update was unrelated it was just a coincidence, what really happened was that when I tried to click: Do not allow user to log in to Control Panel for a specific user it didn’t work, as after I click: Save it returns to be unchecked.
I then updated, and tried to login as admin, and I recieved this message: Invalid username or password. So I thought it was the update. Then I remembered trying to check the Do not allow user to log in to Control Panel button in another user’s profile.
So I seeked nano /usr/local/hestia/data/users/admin/user.conf and set LOGIN_DISABLED='no' And then I could login normally.

I now have 2 questions:
1- Why when I checked: Do not allow user to log in to Control Panel it wasn’t saved?
2- Why was the admin user affected?

Note: I tried reproducing the issue and I succeeded.