[Geoserver-devel] Getting access to a GeoServer after forgetting master/admin password

Hi,
let’s say that someone does not use a GeoServer 2.2.x for quite some time,
the passwords are not stored anywhere, and the master/admin passwords
are just forgotten.

There must be a way for someone that has command line access to the GeoServer data
dir to start over and force GeoServer to use a certain new password.
Is there?

Cheers
Andrea

==
Our support, Your Success! Visit http://opensdi.geo-solutions.it for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it


Two possibilities

  1. Check for a file security/masterpw.info
    This file contains the master password and you can log in with the user root. root has ROLE_ADMINISTRATOR.

  2. If you are using the default user group service, you can do the following:

Open security/usergroup/default/users.xml. Look for the admin user and set the password attribute like
password=“plain:geoserver”.

Obtaining the master password is difficult. It is located in security/masterpw/default/passwd. The password is stored encrypted and useless. You have to start a debug session to find this password in memory. Please tell me if you need further assistance.

Christian

2013/1/14 Andrea Aime <andrea.aime@anonymised.com>

Hi,
let’s say that someone does not use a GeoServer 2.2.x for quite some time,
the passwords are not stored anywhere, and the master/admin passwords
are just forgotten.

There must be a way for someone that has command line access to the GeoServer data
dir to start over and force GeoServer to use a certain new password.
Is there?

Cheers
Andrea

==
Our support, Your Success! Visit http://opensdi.geo-solutions.it for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it



Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. SALE $99.99 this month only – learn more at:
http://p.sf.net/sfu/learnmore_122412


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Hi Andrea, did this help ?

2013/1/14 Christian Mueller <mcrmcr21@anonymised.com>

Two possibilities

  1. Check for a file security/masterpw.info
    This file contains the master password and you can log in with the user root. root has ROLE_ADMINISTRATOR.

  2. If you are using the default user group service, you can do the following:

Open security/usergroup/default/users.xml. Look for the admin user and set the password attribute like
password=“plain:geoserver”.

Obtaining the master password is difficult. It is located in security/masterpw/default/passwd. The password is stored encrypted and useless. You have to start a debug session to find this password in memory. Please tell me if you need further assistance.

Christian

2013/1/14 Andrea Aime <andrea.aime@anonymised.com>

Hi,
let’s say that someone does not use a GeoServer 2.2.x for quite some time,
the passwords are not stored anywhere, and the master/admin passwords
are just forgotten.

There must be a way for someone that has command line access to the GeoServer data
dir to start over and force GeoServer to use a certain new password.
Is there?

Cheers
Andrea

==
Our support, Your Success! Visit http://opensdi.geo-solutions.it for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it



Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. SALE $99.99 this month only – learn more at:
http://p.sf.net/sfu/learnmore_122412


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

On Wed, Jan 16, 2013 at 1:36 PM, Christian Mueller <mcrmcr21@anonymised.com> wrote:

Hi Andrea, did this help ?

Ah hey, yep, it’s a good set of indications.
Having a command line tool to extract the master password without having to
put GeoServer in debug mode would be quite useful

Cheers
Andrea

==
Our support, Your Success! Visit http://opensdi.geo-solutions.it for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it


Perhaps a class with a main method in the main module. (if it is possible)

2013/1/16 Andrea Aime <andrea.aime@…1268…>

On Wed, Jan 16, 2013 at 1:36 PM, Christian Mueller <mcrmcr21@anonymised.com> wrote:

Hi Andrea, did this help ?

Ah hey, yep, it’s a good set of indications.
Having a command line tool to extract the master password without having to
put GeoServer in debug mode would be quite useful

Cheers

Andrea

==
Our support, Your Success! Visit http://opensdi.geo-solutions.it for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it


On Wed, Jan 16, 2013 at 5:10 PM, Christian Mueller <mcrmcr21@anonymised.com> wrote:

Perhaps a class with a main method in the main module. (if it is possible)

Yep, that would be nice

Cheers
Andrea

2013/1/16 Andrea Aime <andrea.aime@anonymised.com>

On Wed, Jan 16, 2013 at 1:36 PM, Christian Mueller <mcrmcr21@anonymised.com> wrote:

Hi Andrea, did this help ?

Ah hey, yep, it’s a good set of indications.
Having a command line tool to extract the master password without having to
put GeoServer in debug mode would be quite useful

Cheers

Andrea

==
Our support, Your Success! Visit http://opensdi.geo-solutions.it for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it


==
Our support, Your Success! Visit http://opensdi.geo-solutions.it for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it


On 16/01/13 21:31, Andrea Aime wrote:

Having a command line tool to extract the master password without having to
put GeoServer in debug mode would be quite useful

Perhaps a command line tool to reset the master password, rather than extract it?

Because users often use the same password in multiple places, extraction of a password might grant unintended access elsewhere. I am thinking of the use-case of a GeoServer instance whose administrator changes.

Many systems only store HMAC hashes of passwords for security; by design they cannot extract the original plaintext.

Kind regards,

--
Ben Caradoc-Davies <Ben.Caradoc-Davies@anonymised.com>
Software Engineer
CSIRO Earth Science and Resource Engineering
Australian Resources Research Centre

My ideas so far:

  1. lost password for the admin user
    You need access to the physical storage of the user/group service (xml file, sql table,…). Change the password value of the admin user to “plain:geoserver”. (geoserver is the password). Log in as the admin user, change your password from geoserver to another value and press save. The new password is stored encoded replacing “plain:geoserver”.

  2. lost master password
    The master password is not a digest since it is needed for encryption/decryption of the key store. Yo have to login as an admin user. On the GUI you have to specify a file name and click on a button to store the plain master password in this file.
    The file name acts as a shared key between geoserver and the admin. (This is important, a fixed file location is vulnerable to an attack). The admin needs access to the file system, reads the master password and deletes the file.

The method writing the file checks the calling mehtod with

StackTraceElement[] stackTraceElements = Thread.currentThread().getStackTrace()

This is necessary to protect against "trojan horse" geoserver extensions.

Opinions ?

2013/1/21 Ben Caradoc-Davies <Ben.Caradoc-Davies@anonymised.com>

On 16/01/13 21:31, Andrea Aime wrote:

Having a command line tool to extract the master password without having to
put GeoServer in debug mode would be quite useful

Perhaps a command line tool to reset the master password, rather than extract it?

Because users often use the same password in multiple places, extraction of a password might grant unintended access elsewhere. I am thinking of the use-case of a GeoServer instance whose administrator changes.

Many systems only store HMAC hashes of passwords for security; by design they cannot extract the original plaintext.

Kind regards,


Ben Caradoc-Davies Ben.Caradoc-Davies@anonymised.com
Software Engineer
CSIRO Earth Science and Resource Engineering
Australian Resources Research Centre

On Mon, Jan 21, 2013 at 8:55 AM, Christian Mueller <mcrmcr21@anonymised.com> wrote:

My ideas so far:

  1. lost password for the admin user
    You need access to the physical storage of the user/group service (xml file, sql table,…). Change the password value of the admin user to “plain:geoserver”. (geoserver is the password). Log in as the admin user, change your password from geoserver to another value and press save. The new password is stored encoded replacing “plain:geoserver”.

  2. lost master password
    The master password is not a digest since it is needed for encryption/decryption of the key store. Yo have to login as an admin user. On the GUI you have to specify a file name and click on a button to store the plain master password in this file.
    The file name acts as a shared key between geoserver and the admin. (This is important, a fixed file location is vulnerable to an attack). The admin needs access to the file system, reads the master password and deletes the file.

The method writing the file checks the calling mehtod with

StackTraceElement[] stackTraceElements = Thread.currentThread().getStackTrace()

This is necessary to protect against "trojan horse" geoserver extensions.

Opinions ?

Both suggestions seem good to me

Cheers
Andrea

==
Our support, Your Success! Visit http://opensdi.geo-solutions.it for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it


Should I create a GSIP or is a JIRA improvement issue sufficient ?

If i understand our time boxed model correctly, this improvement will be applied to GeoServer 2.4 with the possibility to backport it after a vote.

Christian

2013/1/21 Andrea Aime <andrea.aime@anonymised.com>

On Mon, Jan 21, 2013 at 8:55 AM, Christian Mueller <mcrmcr21@anonymised.com> wrote:

My ideas so far:

  1. lost password for the admin user
    You need access to the physical storage of the user/group service (xml file, sql table,…). Change the password value of the admin user to “plain:geoserver”. (geoserver is the password). Log in as the admin user, change your password from geoserver to another value and press save. The new password is stored encoded replacing “plain:geoserver”.

  2. lost master password
    The master password is not a digest since it is needed for encryption/decryption of the key store. Yo have to login as an admin user. On the GUI you have to specify a file name and click on a button to store the plain master password in this file.
    The file name acts as a shared key between geoserver and the admin. (This is important, a fixed file location is vulnerable to an attack). The admin needs access to the file system, reads the master password and deletes the file.

The method writing the file checks the calling mehtod with

StackTraceElement[] stackTraceElements = Thread.currentThread().getStackTrace()

This is necessary to protect against "trojan horse" geoserver extensions.

Opinions ?

Both suggestions seem good to me

Cheers

Andrea

==
Our support, Your Success! Visit http://opensdi.geo-solutions.it for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it


On Mon, Jan 21, 2013 at 9:52 AM, Christian Mueller <mcrmcr21@anonymised.com> wrote:

Should I create a GSIP or is a JIRA improvement issue sufficient ?

Jira should be sufficient, it’s not a large change or significant new API right?

If i understand our time boxed model correctly, this improvement will be applied to GeoServer 2.4 with the possibility to backport it after a vote.

Yep, the backport of a new functionality requires a vote

Cheers
Andrea

==
Our support, Your Success! Visit http://opensdi.geo-solutions.it for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it