Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add the ability to reset the admin password if the user forgot it #512

Open
liyaka opened this issue Jan 19, 2017 · 27 comments
Open

Add the ability to reset the admin password if the user forgot it #512

liyaka opened this issue Jan 19, 2017 · 27 comments

Comments

@liyaka
Copy link

@liyaka liyaka commented Jan 19, 2017

No description provided.

@deviantony

This comment has been minimized.

Copy link
Member

@deviantony deviantony commented Jan 20, 2017

@liyaka You can only change the admin password via the UI. What do you mean by option?

@luckydonald

This comment has been minimized.

Copy link

@luckydonald luckydonald commented Jan 21, 2017

Delete the data folder / volume, probably.

@liyaka

This comment has been minimized.

Copy link
Author

@liyaka liyaka commented Jan 22, 2017

@deviantony if the user forgot the password, there is no option (in UI at least ) to reset the password

@deviantony

This comment has been minimized.

Copy link
Member

@deviantony deviantony commented Jan 22, 2017

@liyaka no, there is no way to reset the admin password if you forgot it at the moment. We'll track this evolution here.

@deviantony deviantony changed the title Is there an option to reset admin password? Add the ability to reset the admin password if the user forgot it Jan 22, 2017
@hammady

This comment has been minimized.

Copy link

@hammady hammady commented Nov 8, 2017

Maybe the --admin-password flag could be overloaded. Currently, it skips admin user creation if it exists. What I suggest is to reset the admin password if a user was found. Security wise, a user with access to recreate the container should be given access to reset the password as well.
This is very convenient instead of going to all manager nodes, deleting volumes then recreating the container (or service)

@deviantony

This comment has been minimized.

Copy link
Member

@deviantony deviantony commented Nov 8, 2017

I don't think this is the way to go as the admin user can also change his password from within the UI. Meaning that these changes would be overwritten after a restart of the container. That would probably cause troubles.

@hammady

This comment has been minimized.

Copy link

@hammady hammady commented Nov 9, 2017

@luckydonald

This comment has been minimized.

Copy link

@luckydonald luckydonald commented Nov 10, 2017

How about --reset-password resets you to the choose password for admin gui?

@colegatron

This comment has been minimized.

Copy link

@colegatron colegatron commented Feb 15, 2018

How about --force-create-user in order to be able to recreate the admin user to let reset the password if administrator exists?

In my case I try to automate as much as possible everything, meaning having to change a password through an UI is usually not an option.

Also the deletion of the data volume/folder is either an option because you'll end up loosing your config, don't you?

@darkpixel

This comment has been minimized.

Copy link

@darkpixel darkpixel commented Mar 16, 2018

Yeah, deleting the volume causes every stack you have deployed to show up as 'external' and you can't do anything with them. I really don't want to destroy all the stacks in my cluster only to paste them back into portainer to spin them up again.

@luckydonald

This comment has been minimized.

Copy link

@luckydonald luckydonald commented Apr 4, 2018

The web gui is able to set it. So the node package should just expose a command to run to do the same, with shell access instead of being logged on.

docker-compose exec portainer  npm run portainer-reset-password

I'm not into node that much, but I've seen this be done somehow like this.

@Codelica

This comment has been minimized.

Copy link

@Codelica Codelica commented Oct 26, 2018

An older issue here, but we have the need for this as well. Basically wanting to always control the admin password via startup flag(s). Something like an extra --force-* flag seems safe enough, and certainly a better option the loosing config and stack control.

@sss1217

This comment has been minimized.

Copy link

@sss1217 sss1217 commented Oct 31, 2018

Is there a workaround on this ?? something like reseting password if someone forget, not through the gui tho??

@pcgeek86

This comment has been minimized.

Copy link

@pcgeek86 pcgeek86 commented Nov 26, 2018

I forgot my password and would like an option to reset it. I suppose I can start a new Portainer container, but that seems counter-intuitive to me. Thanks for the great work you guys are doing on this project! I can't believe I didn't start using this earlier.

@ghost

This comment has been minimized.

Copy link

@ghost ghost commented Jan 12, 2019

My temporary solution with boltbrowser
Stop portainer, edit portainer.db with boltbrowser and start portainer.

Works great - but a flag could be better.

@Duvel

This comment has been minimized.

Copy link
Contributor

@Duvel Duvel commented Jan 14, 2019

@gisselmann that worked for me as well after the upgrade to 1.20.0 broke my LDAP logon.

For others: remove all users in the bolt db and portainer will ask again for a password.

@kongh

This comment has been minimized.

Copy link

@kongh kongh commented Aug 19, 2019

Today some one (a attack application)is attacking my portainer , because he gueess my password and got the jwt token and not expired, after I change my simple password , but he changed it quickly.

How to improve Safety ?This is a problem.

Add human validation for the change password api is necessary.

@joseluisq

This comment has been minimized.

Copy link

@joseluisq joseluisq commented Aug 19, 2019

@gisselmann @Duvel both options didn't work for me. I always got: "access denied to resource".
We are using LDAP.
Unfortunately the only solutions was to deploy a new docker stack without LDAP and re-entry our stack configurations.

@Rogiel

This comment has been minimized.

Copy link

@Rogiel Rogiel commented Aug 19, 2019

Today some one (a attack application)is attacking my portainer , because he gueess my password and got the jwt token and not expired, after I change my simple password , but he changed it quickly.

How to improve Safety ?This is a problem.

Add human validation for the change password api is necessary.

I have also noticed an attack starting today. The attacker is probably not gaining access to your account. What seems to be happening is that Portainer is blocking authentication after 12 failed attempts. The bot is still trying to guess the password after that and authentication remains locked and since authentication is disabled you can't access Portainer.

I would recommend you to block port 9000 and use a frontend server with nginx (or apache if you prefer it). Better yet, block to everything and everyone but your IP address.

2019/08/19 17:15:58 Instance already has defined endpoints. Skipping the endpoint defined via CLI.
2019/08/19 17:15:58 Starting Portainer 1.21.0 on :9000
2019/08/19 17:15:58 http error: Invalid credentials (err=Unauthorized) (code=422)
2019/08/19 17:15:58 http error: Invalid credentials (err=Unauthorized) (code=422)
2019/08/19 17:15:58 http error: Invalid credentials (err=Unauthorized) (code=422)
2019/08/19 17:15:58 http error: Invalid credentials (err=Unauthorized) (code=422)
2019/08/19 17:15:59 http error: Invalid credentials (err=Unauthorized) (code=422)
2019/08/19 17:15:59 http error: Invalid credentials (err=Unauthorized) (code=422)
2019/08/19 17:15:59 http error: Invalid credentials (err=Unauthorized) (code=422)
2019/08/19 17:15:59 http error: Invalid credentials (err=Unauthorized) (code=422)
2019/08/19 17:15:59 http error: Invalid credentials (err=Unauthorized) (code=422)
2019/08/19 17:15:59 http error: Invalid credentials (err=Unauthorized) (code=422)
2019/08/19 17:16:00 http error: Invalid credentials (err=Unauthorized) (code=422)
2019/08/19 17:16:00 http error: Invalid credentials (err=Unauthorized) (code=422)
2019/08/19 17:16:00 http error: Access denied (err=Access denied to resource) (code=403)
@kongh

This comment has been minimized.

Copy link

@kongh kongh commented Aug 19, 2019

yeah, i cannot agree more. I had changed the port of portainer and the password , because of my weak password. this is an attack event, disabled the whole authentication is not the best idea, human validation may be can resovle it.

this attack effected our applicatiins deploy in japan ,korea, china servers

@joseluisq

This comment has been minimized.

Copy link

@joseluisq joseluisq commented Aug 19, 2019

This attack disabled also the authentication for our portainer manager in germany.
Immediately we did take the necessary actions to adjust our proxy and firewall in order to mitigate recurrent retries.

@meezaan

This comment has been minimized.

Copy link

@meezaan meezaan commented Aug 21, 2019

I've just noticed this today. Does anyone know how long portainer waits before allowing a login again?

@meezaan

This comment has been minimized.

Copy link

@meezaan meezaan commented Aug 21, 2019

OK, I was able to stick a proxy in front of Portainer to deal with the issue.

@luckydonald

This comment has been minimized.

Copy link

@luckydonald luckydonald commented Aug 21, 2019

For the stuff not really related with implementation of a password change functionality, could you please open a new issue.

So this one stays on topic.

@meezaan

This comment has been minimized.

Copy link

@meezaan meezaan commented Aug 26, 2019

@luckydonald Sorry, that was actually my initial problem which led me to discover the the attack. I also used bolt browser to reset the password.

@mangei

This comment has been minimized.

Copy link

@mangei mangei commented Oct 9, 2019

My temporary solution with boltbrowser
Stop portainer, edit portainer.db with boltbrowser and start portainer.

Works great - but a flag could be better.

thanks!

To set the password you have to update the JSON of the 'user' property with your BCrypt-encoded password.

I wrote a java application for that: https://gist.github.com/mangei/e70a243236cdd0a53565f76f66c2e065

@deviantony deviantony added this to the next milestone Oct 14, 2019
@deviantony deviantony removed this from the next milestone Oct 31, 2019
@deviantony deviantony removed the shortlist label Oct 31, 2019
@liuzhaowei55

This comment has been minimized.

Copy link

@liuzhaowei55 liuzhaowei55 commented Nov 29, 2019

Today some one (a attack application)is attacking my portainer , because he gueess my password and got the jwt token and not expired, after I change my simple password , but he changed it quickly.
How to improve Safety ?This is a problem.
Add human validation for the change password api is necessary.

I have also noticed an attack starting today. The attacker is probably not gaining access to your account. What seems to be happening is that Portainer is blocking authentication after 12 failed attempts. The bot is still trying to guess the password after that and authentication remains locked and since authentication is disabled you can't access Portainer.

I would recommend you to block port 9000 and use a frontend server with nginx (or apache if you prefer it). Better yet, block to everything and everyone but your IP address.

2019/08/19 17:15:58 Instance already has defined endpoints. Skipping the endpoint defined via CLI.
2019/08/19 17:15:58 Starting Portainer 1.21.0 on :9000
2019/08/19 17:15:58 http error: Invalid credentials (err=Unauthorized) (code=422)
2019/08/19 17:15:58 http error: Invalid credentials (err=Unauthorized) (code=422)
2019/08/19 17:15:58 http error: Invalid credentials (err=Unauthorized) (code=422)
2019/08/19 17:15:58 http error: Invalid credentials (err=Unauthorized) (code=422)
2019/08/19 17:15:59 http error: Invalid credentials (err=Unauthorized) (code=422)
2019/08/19 17:15:59 http error: Invalid credentials (err=Unauthorized) (code=422)
2019/08/19 17:15:59 http error: Invalid credentials (err=Unauthorized) (code=422)
2019/08/19 17:15:59 http error: Invalid credentials (err=Unauthorized) (code=422)
2019/08/19 17:15:59 http error: Invalid credentials (err=Unauthorized) (code=422)
2019/08/19 17:15:59 http error: Invalid credentials (err=Unauthorized) (code=422)
2019/08/19 17:16:00 http error: Invalid credentials (err=Unauthorized) (code=422)
2019/08/19 17:16:00 http error: Invalid credentials (err=Unauthorized) (code=422)
2019/08/19 17:16:00 http error: Access denied (err=Access denied to resource) (code=403)

The same question.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
You can’t perform that action at this time.