Octoprint: [Request] Add dialog to (explain how to) reset password

I screwed mine up also how do I reset password?

There is a solution here:
https://printrbot.dozuki.com/Answers/View/7610/resetting+name+and+password

On 22 February 2016 at 23:26, edzatool [email protected] wrote:

I screwed mine up also how do I reset password?

—
Reply to this email directly or view it on GitHub
https://github.com/foosel/OctoPrint/issues/1239#issuecomment-187435334.

Also here: https://github.com/foosel/OctoPrint/wiki/Configuring-Access-Control

Near the bottom, it says to rerun the wizard, do the following:

1. edit ~/.octoprint/config.yaml and set firstRun: true . It should be there already set to false in your case.
2. remove ~/.octoprint/users.yaml

I would also: sudo service octoprint restart

I don't get any of this. Ed

On Mon, Feb 22, 2016 at 7:55 PM, Mark Walker [email protected]
wrote:

Also here:
https://github.com/foosel/OctoPrint/wiki/Configuring-Access-Control

Near the bottom, it says to rerun the wizard, do the following:

1. edit ~/.octoprint/config.yaml and set firstRun: true . It should be
   there already set to false in your case.
2. remove ~/.octoprint/users.yaml

I would also: sudo service octoprint restart

—
Reply to this email directly or view it on GitHub
https://github.com/foosel/OctoPrint/issues/1239#issuecomment-187457325.

How about like this, from the command line, ssh into your pi then:

rm ~/.octoprint/users.yaml
nano ~/.octoprint/config.yaml

Search for firstRun in that file. Delete the "false" on that line and type "true". Save and exit. Then type this command:

sudo system octoprint restart

Thanks.
I test method that solve my promble

Suggestion for an easy way to make this information better observable (easy difficulty):

• [ ] add "forgot password" link to login dialog, have that pop up a modal explaining the above steps + that admins can change user passwords

Better version (medium difficulty):

• [ ] add new config setting to access control "allowPasswordReset", default value false
• [ ] if a file named "reset_password" exists in the config folder (next to config yaml) display password change dialog on ui load (similar to first configuration wizard)
• [ ] allow user to change password of his admin account
• [ ] delete reset trigger file on confirm

Additional solution for devel branch (optional for now):

• [ ] add new command group to octoprint command called users,
• [ ] add new command to that group called reset_password, first parameter should be the user name of the password to change
• [ ] when invoked like eg octoprint users reset_password someUsername, offer prompt for (invisible) new password, twice for verification, set new password for user

Why so complicated? OctoPrint usually can't send mails, so something like a regular "forgot password" approach won't work. And if anyone could reset the password of an existing account, that would kind of defeat the purpose of having password in the first place, hence the additional steps that have to be performed through the actual file system outside of OctoPrint.

_edit_ changed to use a trigger file following suggestion by @markwal, added optional CLI command, added some explanation why common password reset approaches won't work here.

I wouldn't mind trying my hand at this.

Since people seem to have a hard time editing config.yaml successfully and they can't use the yamlpatcher for this case, perhaps an enhancement to the better version would be to trigger the password change when a particular file exists next to config.yaml (like ~/.octoprint/password_reset)? Or perhaps when users.yaml doesn't exist, but accessControl is enabled?

@markwal good idea with the file. I'd prefer not to have to nuke users.yaml because that would kill all accounts, just because the admin forgot their password. Sounds a bit bad ;) I'll adjust the check list above

devel branch also allows definition of additional command line commands, so something like octoprint user reset_password someUsername should also be considered here, but first id's go for one of the outlined solutions since they also are something that can be back ported to the maintenance branch and shipped soon that way.

@tousdan great! Will mark the ticket as grabbed shortly, please keep us posted here. No problem if you decide not to do it after all, but would be important to know about that :)

When you say "allow user to change password of his admin account" how should we figure out which account is the admin account? I can see in the user management that multiple users can have the admin role. Should we be able to pick which user to reset?

Also, once both conditions are met (accessControl.allowPasswordReset and the reset_password file exists) anyone accessing the app will get the opportunity to change the admin password. Is this what we want for a setup where multiple users might be accessing the app? I could be over thinking it

I feel that maybe the CLI option would be easier to use.

The user should need to enter their account name.

And yes, the access thing is a tiny issue, it would fall to the admin who forgot the password in that case to limit access. We have the same issue now with the "reset users.yaml" approach, so it wouldn't worsen the situation at least, since now everyone would see the setup dialog instead too, which is just as bad.

The CLI option certainly is nicer, but depends on functionality in 1.3.x (CLI in 1.2.x still is pretty horribly mashed together and a nightmare to extend), so while that should also be tackled, it would be nice to have a solution in the mean time that doesn't kill all user accounts in 1.2.x as well.

Should only need to be relevant anyhow if there is only one admin who forgot their password since otherwise adminY can reset adminX's password without the hassle.

@tousdan are you still looking into this? No problem if not, but I'd again mark it as up for grabs then :)

Feel free to! I've been on and off this issue and couldn't get my head around filling all the requirements to my own satisfaction.

hi
just a question here, why not mimic the method used almost everywhere ? I mean :
force the admin to enter an email address, and send a "reset password" mail when a "forgot password" link is clicked on ?

It's a pretty standard way to reset password. Not perfect though, and I guess it would require more work than the suggestion above

my two cents :)

Because"sending an email" is impossible without teaching thousands of users out there first how to enable their Pi's to send out e-mail. An application in the cloud can be securely preconfigured. An open source application running on a headless server under control of the user can't.

I don't have ~/.octoprint. Octoprint is installed on my Arch Linux server using the octoprint package from the AUR.

~ indicates your home folder. . octoprint is in the home folder for the user that is running the daemon process.

.octoprint isn't in /root either. I am running octoprint with systemd.

Yes. systemd is the engine that starts the daemons at boot. But that doesn't tell you which user it is trying to use to start the daemon.

It'll be some folder like:

/home/something/.octoprint

But it may not be getting that far. You may need to attempt to run it from the command line and see if it is failing before it can create the log folder (permissions issue perhaps)

The .service file has User and Group set to octoprint but there is no octoprint folder in home. Do I have to create that? If that doesn't exist, where is it saving everything?

Since this issue seems a bit dead right now and I just encountered it today, I've recently added some documentation for deleting the users.yaml and editing/updating the config.yaml file for OS X here.

@foosel Currently looking at option 2 and will let you know if I think I can implement it.

@Salandora with your upcoming changes for user permissions, is it worthwhile to add a password reset feature now or would it be better to wait?

Re-enabling via SSH brought my login back to life. Now before I uninstall astroprint, is it SAFE to or will that kill it again?

Now before I uninstall astroprint, is it SAFE to or will that kill it again?

Who knows? This is an octoprint bug list. What does astroprint have to do with anything? And SAFE to uninstall? What do you mean? Kill it again? Kill what? How did your login lose its life and in what way?

@foosel Has anyone made headway on a "password reset" console command ? Can you give a quick pointer to the password function ? That may help.

I would like to have a look to see if I can make a go at it. I'm coming to Python via Ansible and OpenStack - so looking for little useful things to do.

@alainchiasson nope, no one, and a PR for that against the maintenance branch would be really welcome! :)

@foosel Can this be closed?

Once 1.3.12 is out, yes

1.3.12 has been released.