Reset login password

[PhilipSchmid]

Hi there,

I would like to know if it's possible to reset the password of the admin user account?

I saw that in the ETCD there is a password hash:

[root@node1 contiv]# etcdctl get /auth_proxy/local_users/admin
{"username":"admin","first_name":"","last_name":"","disable":false,"password_hash":"JDJhJDEzJGY2ZkhSU2E5NTg2bTRDTV......TmZhR0dJS1VFdm1WTnFzYTR6UTZH"}

What kind of hash is this? SHA256? If so it should be no problem to reset the password, right?

etcdctl set /auth_proxy/local_users/admin <JSON with new PW hash>

Perhaps this could be added to the documentation.

Thanks.

Regards,
Philip

[dseevr]

Hi @PhilipSchmid,

There's no functionality in our code to do this right now, but that password is a bcrypt hash with a work factor of 13.

You could use the following snippet to generate a replacement password hash: https://gist.github.com/dseevr/008c4ca40d987dbcae726c90f470b772

And, you are correct, you could simply etcdctl set it. :)

The work factor can be whatever you want, but we chose 13 as a good tradeoff of login time (more CPU power required to calculate the hash from the plaintext) and futureproofing.

[rhim]

Closing this since workaround has been documented. We have recorded a work item to create a utility for this in future.

[PhilipSchmid]

Hi @dseevr,

I tried to set the password via etcdctl set like this:

[root@node1 ~]# etcdctl set /auth_proxy/local_users/admin "{\"username\":\"admin\",\"first_name\":\"\",\"last_name\":\"\",\"disable\":false,\"password_hash\":\"\$2a\$13\$fSg1fedeYfX.M0BqcaNGs.2kI1XRnktp3a4h7UmUOAQ3QXnZ7uHYW\"}"
{"username":"admin","first_name":"","last_name":"","disable":false,"password_hash":"$2a$13$fSg1fedeYfX.M0BqcaNGs.2kI1XRnktp3a4h7UmUOAQ3QXnZ7uHYW"}
[root@node1 ~]# etcdctl get /auth_proxy/local_users/admin
{"username":"admin","first_name":"","last_name":"","disable":false,"password_hash":"$2a$13$fSg1fedeYfX.M0BqcaNGs.2kI1XRnktp3a4h7UmUOAQ3QXnZ7uHYW"}

As you can see, I had to escape the the " and $.

For the password hash generation I used your code snipped with the following constants:

const (
        password = "admin"
        workFactor = 13
)

As password I have chosen the default one (admin).

phil$ go run main.go 
"admin" -> "$2a$13$fSg1fedeYfX.M0BqcaNGs.2kI1XRnktp3a4h7UmUOAQ3QXnZ7uHYW"

Unfortunately the login is still not working and the auth_proxy docker container shows the following lines in the log:

time="2017-06-19T07:33:39Z" level=error msg="failed to authenticate user, err:Failed to unmarshal local user \"admin\" info 0" 
time="2017-06-19T07:33:39Z" level=info msg="Invalid username/password"

Do you have a guess what I've done wrong?

Thanks!

Regards,
Philip

[dseevr]

Hi @PhilipSchmid,

I actually just wrote the utility to do this about an hour ago 😄 #149

(finishing integrating it into our systemtests right now)

If you want to try it, you can grab the reset_local_user_password/main.go file from that PR and compile it. You'll need to run it like:

./reset_local_user_password --data-store-address=etcd://host:port

Alternatively, we check at startup whether the default users exist and add them if they do not. It seems like you could just delete the admin user's key from etcd and restart auth_proxy and it will recreate him + his default authorization. If you've done anything serious with that user, I'd save a backup copy of the record just in case.

[PhilipSchmid]

Haha awesome 👍 .

Unfortunately the reset_local_user_password tool shows nearly the same error as the auth_proxy docker container:

macbookpro:reset_local_user_password phil$ go get github.com/contiv/auth_proxy
macbookpro:reset_local_user_password phil$ go build .
macbookpro:reset_local_user_password phil$ ./reset_local_user_password --data-store-address=etcd://node1:2379
Username: admin
2017/06/19 10:07:34 unexpected error when fetching user record: Failed to unmarshal local user "admin" info 0

The difference is, that the auth_proxy container showed \"admin\" instead of "admin".

The ETCD cluster is reachable from my notebook so this shouldn't be the issue:

macbookpro:reset_local_user_password phil$ etcdctl --endpoints http://node1:2379 get /auth_proxy/local_users/admin
{"username":"admin","first_name":"","last_name":"","disable":false,"password_hash":"$2a$13$fSg1fedeYfX.M0BqcaNGs.2kI1XRnktp3a4h7UmUOAQ3QXnZ7uHYW"}

I now tried to delete the admin key and restarted the auth_proxy container:

macbookpro:reset_local_user_password phil$ etcdctl --endpoints http://node1:2379 rm /auth_proxy/local_users/admin
PrevNode.Value: {"username":"admin","first_name":"","last_name":"","disable":false,"password_hash":"$2a$13$fSg1fedeYfX.M0BqcaNGs.2kI1XRnktp3a4h7UmUOAQ3QXnZ7uHYW"}
macbookpro:reset_local_user_password phil$ etcdctl --endpoints http://node1:2379 get /auth_proxy/local_users/admin
Error:  100: Key not found (/auth_proxy/local_users/admin) [17512636]

# Restart the auth_proxy container:
[root@inslnxcl01 ~]# docker restart 057d7c6bf65d
057d7c6bf65d

macbookpro:reset_local_user_password phil$ etcdctl --endpoints http://node1:2379 get /auth_proxy/local_users/admin
{"username":"admin","first_name":"","last_name":"","disable":false,"password_hash":"JDJhJDEzJG5tT2RlTllDTWd6VnA5OHVteUpGa2VOVWdKamlidjdyaTRER0xnTVh5Qk5XdHkuQXlTWWFh"}

It still does not work and the auth_proxy shows the following log:

time="2017-06-19T08:22:08Z" level=error msg="failed to authenticate user, err:crypto/rsa: decryption error" 
time="2017-06-19T08:22:08Z" level=info msg="Invalid username/password"

If I now try to run reset_local_user_password again, your tool seems to work:

macbookpro:reset_local_user_password phil$ ./reset_local_user_password --data-store-address=etcd://node1:2379
Username: admin
Password: 
Confirm password: 
Password for the local user 'admin' has been successfully changed.

Unfortunately the auth_proxy log still shows the same error as pointed out above.

Thanks!

Regards,
Philip

[dseevr]

Hmm, I'm not having any issues here...

➜  /tmp docker run --rm --net=host --entrypoint /etcdctl quay.io/coreos/etcd:v2.3.8 --endpoints 192.168.2.54:6666 get /auth_proxy/local_users/admin                                      
{"username":"admin","first_name":"","last_name":"","disable":false,"password_hash":"JDJhJDEzJDVFd080QkRyU1NyNkFkdHFEUWFYTi5RWHJHMy5oWE42T2ZRSVNaSi84NWllSlFHQVgwTC5l"}

➜  /tmp curl -k -d '{"username":"admin","password":"foobar"}' -w "\n" https://192.168.2.54:10000/api/v1/auth_proxy/login/                                        
{"error":"Invalid username/password"}

➜  /tmp docker run --rm --net=host -it --entrypoint /reset_local_user_password contiv/auth_proxy:devbuild --data-store-address=etcd://192.168.2.54:6666 
Username: admin
Password: 
Confirm password: 
Password for the local user 'admin' has been successfully changed.

# changed password to "foobar"

➜  /tmp docker run --rm --net=host --entrypoint /etcdctl quay.io/coreos/etcd:v2.3.8 --endpoints 192.168.2.54:6666 get /auth_proxy/local_users/admin    
{"username":"admin","first_name":"","last_name":"","disable":false,"password_hash":"JDJhJDEzJEVrczNua09ybVgwMUFxczladkN2NGVxeklsZDVmV3ZGdVdzVVRnWml1MmVEaHBSdFhaUC5D"}

➜  /tmp curl -k -d '{"username":"admin","password":"foobar"}' -w "\n" https://192.168.2.54:10000/api/v1/auth_proxy/login/                              
{"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0OTc4OTc3MTYsImlzcyI6ImF1dGhfcHJveHkiLCJwcmluY2lwYWxzIjoiYWRtaW4iLCJyb2xlIjoiYWRtaW4iLCJ1c2VybmFtZSI6ImFkbWluIn0.BWaeydo3MlsAQzlz77OmK0PxeOJoVFr6yviAMzGUPyk"}

It's pretty late here (almost 2am), so I'll need to get back to you in the morning about this. 😄 Sorry for the inconvenience!