mintchipmadness
Cadet
- Joined
- Sep 28, 2020
- Messages
- 6
-
Important Announcement for the TrueNAS Community.
The TrueNAS Community has now been moved. This forum has become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums
Securing Vaultwarden Admin Token
- Thread starter mintchipmadness
- Start date
mintchipmadness
Cadet
- Joined
- Sep 28, 2020
- Messages
- 6
Thank you. I was able to get the information from the vaultwarden hash, but where does it need to be copied? I tried copying it in the admin token line in the truenas GUI but it doesn't work. The password ended up being the pasted information in plain text instead. Thank you for your help.
carbonprop
Cadet
- Joined
- Jul 30, 2023
- Messages
- 2
Did you ever get this figured out? I'm having the same issue.
mintchipmadness
Cadet
- Joined
- Sep 28, 2020
- Messages
- 6
Unfortunately I have not. We will have to hope someone will eventually respond here.
- Joined
- Jan 1, 2016
- Messages
- 9,700
I've had a few tries at it, but indeed it seems using the recommended method from the link provided in the admin site doesn't work, including the replacement of $ with $$ and combinations of quotation marks.
I tried it on both the community and TrueCharts apps (only the TrueCharts app has the generator, but I used that generated hash in both cases).
Looks like a thumbs down for security for the moment.
I tried it on both the community and TrueCharts apps (only the TrueCharts app has the generator, but I used that generated hash in both cases).
Looks like a thumbs down for security for the moment.
carbonprop
Cadet
- Joined
- Jul 30, 2023
- Messages
- 2
I’ll have another look at it soon. If I figure out a solution I’ll let you know. A couple of days ago I was able to get 2FA working on the accounts.
Once I got my vaultwarden settings dialed in I removed the admin token to disable the web login all together. For now it’s a solution I can live with.
Once I got my vaultwarden settings dialed in I removed the admin token to disable the web login all together. For now it’s a solution I can live with.
mintchipmadness
Cadet
- Joined
- Sep 28, 2020
- Messages
- 6
Thank you! I appreciate you taking the time to troubleshoot the issue.
- Joined
- Jan 1, 2016
- Messages
- 9,700
OK, so with a little motivation to get to the bottom of this, I seem to have found a way.
In the TrueCharts app:
I created a new instance, ticking the box to allow the admin interface and also ticking the box to allow access with no password (I happened to use host path for the config storage, but I think this will work with PVC too). BTW, that's mounted to /data in the container.
I then went into the general section and set the admin token there to the desired string... like this: $argon2id$v=19$m=65540,t=3,p=4$u5zgeE35Ad7wwEK0MJcMszca+rTMNM7s6AjUJqU2PAU$+Jl5clXn3OwL2SvHexCsfVhizdnbEZz7Wxpj06RsLDA (password of "password")
Then saved the setting. (noting that a new file now appears in the config location, config.json... which has my string in it)
Then edited the app, turning off the allow admin access with no password option. Left the Admin Token field empty.
On restart, access to the admin interface was then possible using the password of "password".
I think that config file would now persist, so that's job done.
EDIT:
To confirm, I reinstalled the app (delete, then install a new instance, point config storage at the same place, set admin page to on, leave token blank).
Same password works fine.
In the TrueCharts app:
I created a new instance, ticking the box to allow the admin interface and also ticking the box to allow access with no password (I happened to use host path for the config storage, but I think this will work with PVC too). BTW, that's mounted to /data in the container.
I then went into the general section and set the admin token there to the desired string... like this: $argon2id$v=19$m=65540,t=3,p=4$u5zgeE35Ad7wwEK0MJcMszca+rTMNM7s6AjUJqU2PAU$+Jl5clXn3OwL2SvHexCsfVhizdnbEZz7Wxpj06RsLDA (password of "password")
Then saved the setting. (noting that a new file now appears in the config location, config.json... which has my string in it)
Then edited the app, turning off the allow admin access with no password option. Left the Admin Token field empty.
On restart, access to the admin interface was then possible using the password of "password".
I think that config file would now persist, so that's job done.
EDIT:
To confirm, I reinstalled the app (delete, then install a new instance, point config storage at the same place, set admin page to on, leave token blank).
Same password works fine.
Last edited:
mintchipmadness
Cadet
- Joined
- Sep 28, 2020
- Messages
- 6
Thank you!! I was trying to figure it out too and realized I didn't need the single quotes on the token. I removed the single quotes at the beginning and end, copied into the password field of the admin panel, and it worked perfectly.
- Joined
- Jan 1, 2016
- Messages
- 9,700
I tried with many combintations of quotes and no quotes and was not successful, so you're doing something magic there, but glad it worked for you.
mintchipmadness
Cadet
- Joined
- Sep 28, 2020
- Messages
- 6
Let me give the steps to see if the magic is in there somewhere.
1. Install vaultwarden (TrueChart) with a temporary admin password (e.g. password1234). Service Type = ClusterIP and enabled Ingress with custom domain
2. Go into the shell of the vaultwarden pod
3. Type the command
4. choose a strong password and copy the text of the output in between the single quotes (Starts with $argon2id$) - make sure to not include the last single quote at the end.
5. Paste into a temporary text file on your computer
6. log in to your admin panel by using your temporary password
7. Copy the information into the Admin token/Argon2 PHC field of the admin panel (General settings)
8. Hit Save at the bottom and try to log in using the strong password from step 4
1. Install vaultwarden (TrueChart) with a temporary admin password (e.g. password1234). Service Type = ClusterIP and enabled Ingress with custom domain
2. Go into the shell of the vaultwarden pod
3. Type the command
Code:
./vaultwarden hash
4. choose a strong password and copy the text of the output in between the single quotes (Starts with $argon2id$) - make sure to not include the last single quote at the end.
5. Paste into a temporary text file on your computer
6. log in to your admin panel by using your temporary password
7. Copy the information into the Admin token/Argon2 PHC field of the admin panel (General settings)
8. Hit Save at the bottom and try to log in using the strong password from step 4
Last edited:
- Joined
- Jan 1, 2016
- Messages
- 9,700
OK, that's clear... you're doing the update in the app/GUI itself, not in the app configuration item.
That's what I eventually worked out... you can't really trust setting it from the config to do anything other than plain text.
That's what I eventually worked out... you can't really trust setting it from the config to do anything other than plain text.
Related topics on forums.truenas.com for thread: "Securing Vaultwarden Admin Token"
Similar threads
