No 'resetToken' for admin password reset
-
@wu-lee Can you try the new instructions at https://docs.cloudron.io/user-management/#admins ?
-
Thanks - trying this I get:
root@ubuntu-2gb-hel1-2:~# sudo cloudron-support --owner-login Login as NULL / <redacted> . Remove /home/yellowtent/platformdata/cloudron_ghost.json when done.
So I think the NULL means something didn't quite work. (The
NULL
is literally what I see;<redacted>
is a redacted password.)Trying to log in as NULL plus the password fails. (Editing the file
cloudron_ghost.json
to haveadmin
orsuperadmin
instead, and then using those doesn't work either.) -
@wu-lee That's strange. To take a step back, have you finished your Cloudron installation and created a superadmin in the first place? If you did not, you have to go to https://<ip> address and complete the installation.
If you did, can you check the output of:
mysql -uroot -ppassword -e "SELECT username FROM box.users WHERE role='owner'"
(You can paste the above command as-is).
-
Ok, finding and reading the
cloudron-support
script, I can replicate what it's doing (without theLIMIT 1
)root@ubuntu-2gb-hel1-2:~# mysql -NB -uroot -ppassword -e "SELECT username FROM box.users WHERE role='owner' " mysql: [Warning] Using a password on the command line interface can be insecure. NULL wu-lee NULL NULL
The problem is there are four accounts which have the role "owner", and the one I am trying to reset has the username
wu-lee
- but for reasons I don't know the others have no username (they were added after finishing the install, to allow other admins to log in; although I suspect they never have.)But it also means I guess I can edit the json file to use the username
wu-lee
.And logging in as
wu-lee
now works! (Although perhaps editing the file was not necessary, I've not checked that.) -
@wu-lee Ah good catch! I have fixed the query for the next release - https://git.cloudron.io/cloudron/box/-/commit/9b2a3d23b2f72411c89b522f8a23abdcfbe86782
The reason others have no username is because you have invited them but they haven't logged in yet and selected a username.
-
Thanks for the quick response.
One potential confusion I anticipate is that it picks one of the owner accounts at random, and the person doing the reset (me) might not realise/want that account. Perhaps either:
- specifying which superadmin isn't really necessary, they could all be enabled?
- one of them could be selected less indeterminately, perhaps the oldest?
- or the superuser selected by the resetting user at an interactive prompt?
-
@wu-lee The tool is not meant to be Cloudron's recommended password reset mechanism. It's the tool of last resort if the Cloudron cannot send email and the owner/superadmin of cloudron is locked out and has only ssh access. We (cloudron team) use this tool to login into our customer's servers as well so that our customers do not require giving us their password (i.e when they give us ssh access, we can now login to debug things).
The way I see it:
-
If email is working, there is no problem. You can just go to dashboard -> password login form -> Forgot password.
-
If email is not working, if you have other superadmins, you can ask them to go to
Users
view and give you a password reset link. Note that giving you a password reset link does not require email to work, you can just copy the link from that dialog. -
If email is not working and you are the only superadmin, then
cloudron-support
is the tool to use. This is why the logic is not super complicated in that script.
But as you figured you can just put a json in that ghost file
/home/yellowtent/platformdata/cloudron_ghost.json
and that's it:{"username": "sometemporarypassword" }
Let me know if I missed some use case.
-
-
Ok, that's fair enough.
@girish said in No 'resetToken' for admin password reset:
But as you figured you can just put a json in that ghost file /home/yellowtent/platformdata/cloudron_ghost.json and that's it:
{"username": "sometemporarypassword" }However, this might be worth adding to the documentation.
-
Done. I also made a change now where that ghost file is automatically removed after you use it once to login. Just in case, people forget to remove it.