Forgot Username / Pwd to CouchDB - couchdb

Does anyone know how can I reset the username and password for CouchDB ?


This worked for me:
while couchdb is stopped,
clear the [admin] section in your */etc/couchdb/local.ini
delete the _users.couch database (located in */var/lib/couchdb/)
This will reset the user database to factory defaults (admin party!) and wipe all of couchdb's user accounts. There might be a more subtle way


With Apache CouchDB, admin accounts passwords can be changed by editing a file local.ini in the CouchDB config folder (/etc/couchdb/ on most Linux installs). [1]
Look for the [admin] section, which will list the all admin usernames, along with their hashed passwords:
[admin]
foo = -pbkdf2-0e0e83f911c970565fc988497a657bdc21a005e8,19ecef0bea1caf8d7f08fb791379c686,10
Replace the password hash with a new clear text password:
foo = bar
Now restart CouchDB (sudo restart couchdb on Ubuntu). CouchDB will notice the clear text password on startup and automatically replace it with the hashed version.


What I've done it's quite simple. I found out my old username and password here:
/opt/couchbase/var/lib/couchbase/config/config.dat
After that I went to opt/couchbase/bin/ and run
./couchbase-cli cluster-init -c localhost:8091 -u old_user -p old_password --cluster-init-username=new_user --cluster-init-password=new_password
Done!
Also you can check this: http://www.couchbase.com/docs/couchbase-manual-2.0/couchbase-faq.html


For mac users, base folder is /Library/Application Support/couchdb


One more point to add ...
If you are running Couch DB on Windows, then probably it was installed as a service and to reset it you need to stop service first, within running service other answers do not work.
http://www.7tutorials.com/what-are-windows-services-what-they-do-how-manage-them
Open Control Panel - Administrative Tools - Services and stop Apache Couch DB


for Unix:
http://silviud.blogspot.com/2012/10/couchbase-recover-web-console-password.html
/opt/couchbase/bin/erl \
-noinput -eval \
'case file:read_file("/opt/couchbase/var/lib/couchbase/config/config.dat") of {ok, B} -> io:format("~p~n", [binary_to_term(B)]) end.' \
-run init stop | grep cred


You just need to add the username and password in CouchDB local.ini file. You can add as many administrators as you want.
sudo nano /etc/couchdb/local.ini
and in the end of file, add username and password.
And don't forget to restart the CouchDB server.
sudo service couchdb restart


On Mac OS X, cbreset_password is not in PATH by default, so I've done just:
"/Applications/Couchbase Server.app/Contents/Resources/couchbase-core/bin/cbreset_password" 127.0.0.1:8091
...and re-set the password once confirming yes


You can change couchbase localhost password by using following steps:
1. Install crul(for windows)
2. curl -u Administrator:password http://localhost:8091/controller/changePassword -d password=admin123


ubuntu 20.04 :
apt purge couchdb
apt install couchdb
was the only thing that worked for me.


If using 3.2, CouchDB server administrators and passwords in the last [admins] section that CouchDB finds when loading its ini files:
/opt/couchdb/etc/local.ini or
/opt/couchdb/etc/local.d/10-admins.ini
Don't forget to restart CouchDB:
sudo systemctl restart couchdb (if using ubuntu)
source: https://docs.couchdb.org/en/3.2.0/config/auth.html

Related

Google Compute Engine instance requires password for sudo - what is my password?

I have a new google compute engine instance. I am SSH'ed into the instance using certs. Whenever I try to use sudo it asks for the primary user's password which I do not have. Just recently I setup an instance on centos 7 and did not have this issue.
The instance is running centos 8. Normally, I would ssh to the instance, then execute commands using Sudo. For example, I would like to set the root password.
if I run sudo passwd, sudo su - or even sudo cat /var/log/messages it asks me for the primary user's password. The problem is I do not have that password.
[primaryuser#server4 log]$ **sudo cat messages**
**[sudo] password for primaryuser:**
##########
[primaryuser#server4 log]$ **sudo passwd**
**[sudo] password for primaryuser:**
I expected to run the commands using sudo but do not have the password.
Does anyone have any ideas? I read other posts about similar problems but different from mine.

I had to give up and use ubuntu. Everything acted as expected on ubuntu and I was able to set the password. I believe the problem is limited to centos 8 but I am not certain.

How do I set my user password on my Google Cloud Ubuntu instance?

I have started an Ubuntu 15.10 instance on Google Cloud and installed Webmin as per here:
http://www.webmin.com/deb.html
Webmin has been installed successfully and I can see the login page in my browser window, however I need to type my username along with my password with sudo level access to login and start using Webmin.
I've used the SSH via the browser window so have never set a password for any sort of access to the root.
Does anyone know how to set a password for myself to login as a sudo user on my instance?

Okay, I figured it out. I was looking at the permissions menu in Google Cloud, but it was as simple as changing the root password in Linux by typing: sudo passwd

it's working for me
vfa_gianglt#instance-1:~$ sudo -i
root#instance-1:~# sudo bash
root#instance-1:~# sudo passwd root
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
root#instance-1:~# cd /root
root#instance-1:~#

CouchDB won't delete existing database

I am new to CouchDB and have run into an odd issue. I can create a database but can't delete it.
I am setting up a test framework which will create the test version of the DB at the start and delete it at the end of the test run but I don't really want to have the framework SSH to the server as suggested in this answer Delete couchDB databases.
My setup is CentOS 7 (from the released minimal image) running in Virtual Box 4.3. I installed CouchDB from the EPEL repository, the version is reported as 1.6.1. I can manage the DB with Futon to create the database, add and delete documents. Deleting the DB in Futon hangs. Deleting with curl returns 404 not found.
$ curl -X PUT http://dbserver:5984/test
{"ok":true}
$ curl -X DELETE http://dbserver:5984/test
{"error":"not_found","reason":"missing"}
Based on the CouchDB documentation that is the correct URL to delete the DB. I disabled SELinux but that had no effect. No CouchDB security has been enabled, all settings are left at their default.
Why can't I delete the DB?

The problem seems to be a missing SELinux policy.
Running SELinux in Permissive mode, makes the "verify installation" checks work for me. (CentOS 7, couchdb 1.6.1 installed via yum from the EPEL repository).
Looking in /var/audit/audit.log reveals:
type=AVC msg=audit(1422956916.341:371): avc: denied { create } for pid=2188 comm="beam" name=".test_suite_db_design" scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:couchdb_var_lib_t:s0 tclass=dir
So, SELinux denied the couchdb process to create that directory.
Using the audit2allow tool one may create the missing rules which could be enabled using semodule command:
grep couchdb /var/log/audit/audit.log | audit2allow -M couchdbvarlib
semodule -i couchdbvarlib.pp
See here.
There's already a bug reported against CouchDB in Fedora #1098802

Is it possible to connect to ec2 instance as root user by using the PEM file?

I'm trying to connect to an EC2 AWS instance but when I tried to install PHPMYADMIN the linux console asks me for the root user password, which I forgot about. Could anyone please know how to use .PEM file to login as the root user?
I tried sudo su command but it still asks me for the root user.
Any help is appreciated.

Disclaimer: It is not recommended to login as root.
But still if you want to, then:
Allow PermitRootLogin in /etc/ssh/sshd_config
Restart SSH service
you need to paste the existing public key which is in the /home/ec2-user/.ssh/authorized_keys to /root/.ssh/authorized_keys
Now you should be able to login as root using the .pem key.

You don't need your root password if you are running sudo su -, you need the password of the user you are running the sudo command as. Provided that the user has sudo privileges as root. Then you can just run as root:
yum install phpmyadmin

How to reset Jenkins security settings from the command line?

Is there a way to reset all (or just disable the security settings) from the command line without a user/password as I have managed to completely lock myself out of Jenkins?

The simplest solution is to completely disable security - change true to false in /var/lib/jenkins/config.xml file.
<useSecurity>true</useSecurity>
A one-liner to achieve the same:
sed -i 's/<useSecurity>true<\/useSecurity>/<useSecurity>false<\/useSecurity>/g' /var/lib/jenkins/config.xml
Then just restart Jenkins:
sudo service jenkins restart
And then go to admin panel and set everything once again.
If you in case are running your Jenkins inside a Kubernetes pod and can not run service command, then you can just restart Jenkins by deleting the pod:
kubectl delete pod <jenkins-pod-name>
Once the command was issued, Kubernetes will terminate the old pod and start a new one.

One other way would be to manually edit the configuration file for your user (e.g. /var/lib/jenkins/users/username/config.xml) and update the contents of passwordHash:
<passwordHash>#jbcrypt:$2a$10$razd3L1aXndFfBNHO95aj.IVrFydsxkcQCcLmujmFQzll3hcUrY7S</passwordHash>
Once you have done this, just restart Jenkins and log in using this password:
test

The <passwordHash> element in users/<username>/config.xml will accept data of the format
salt:sha256("password{salt}")
So, if your salt is bar and your password is foo then you can produce the SHA256 like this:
echo -n 'foo{bar}' | sha256sum
You should get 7f128793bc057556756f4195fb72cdc5bd8c5a74dee655a6bfb59b4a4c4f4349 as the result. Take the hash and put it with the salt into <passwordHash>:
<passwordHash>bar:7f128793bc057556756f4195fb72cdc5bd8c5a74dee655a6bfb59b4a4c4f4349</passwordHash>
Restart Jenkins, then try logging in with password foo. Then reset your password to something else. (Jenkins uses bcrypt by default, and one round of SHA256 is not a secure way to store passwords. You'll get a bcrypt hash stored when you reset your password.)

I found the file in question located in /var/lib/jenkins called config.xml, modifying that fixed the issue.

In El-Capitan config.xml can not be found at
/var/lib/jenkins/
Its available in
~/.jenkins
then after that as other mentioned open the config.xml file and make the following changes
In this replace <useSecurity>true</useSecurity> with <useSecurity>false</useSecurity>
Remove <authorizationStrategy> and <securityRealm>
Save it and restart the jenkins(sudo service jenkins restart)

The answer on modifying was correct. Yet, I think it should be mentioned that /var/lib/jenkins/config.xml looks something like this if you have activated "Project-based Matrix Authorization Strategy". Deleting /var/lib/jenkins/config.xml and restarting jenkins also does the trick. I also deleted the users in /var/lib/jenkins/users to start from scratch.
<authorizationStrategy class="hudson.security.ProjectMatrixAuthorizationStrategy">
<permission>hudson.model.Computer.Configure:jenkins-admin</permission>
<permission>hudson.model.Computer.Connect:jenkins-admin</permission>
<permission>hudson.model.Computer.Create:jenkins-admin</permission>
<permission>hudson.model.Computer.Delete:jenkins-admin</permission>
<permission>hudson.model.Computer.Disconnect:jenkins-admin</permission>
<!-- if this is missing for your user and it is the only one, bad luck -->
<permission>hudson.model.Hudson.Administer:jenkins-admin</permission>
<permission>hudson.model.Hudson.Read:jenkins-admin</permission>
<permission>hudson.model.Hudson.RunScripts:jenkins-admin</permission>
<permission>hudson.model.Item.Build:jenkins-admin</permission>
<permission>hudson.model.Item.Cancel:jenkins-admin</permission>
<permission>hudson.model.Item.Configure:jenkins-admin</permission>
<permission>hudson.model.Item.Create:jenkins-admin</permission>
<permission>hudson.model.Item.Delete:jenkins-admin</permission>
<permission>hudson.model.Item.Discover:jenkins-admin</permission>
<permission>hudson.model.Item.Read:jenkins-admin</permission>
<permission>hudson.model.Item.Workspace:jenkins-admin</permission>
<permission>hudson.model.View.Configure:jenkins-admin</permission>
<permission>hudson.model.View.Create:jenkins-admin</permission>
<permission>hudson.model.View.Delete:jenkins-admin</permission>
<permission>hudson.model.View.Read:jenkins-admin</permission>
</authorizationStrategy>

We can reset the password while leaving security on.
The config.xml file in /var/lib/Jenkins/users/admin/ acts sort of like the /etc/shadow file Linux or UNIX-like systems or the SAM file in Windows, in the sense that it stores the hash of the account's password.
If you need to reset the password without logging in, you can edit this file and replace the old hash with a new one generated from bcrypt:
$ pip install bcrypt
$ python
>>> import bcrypt
>>> bcrypt.hashpw("yourpassword", bcrypt.gensalt(rounds=10, prefix=b"2a"))
'YOUR_HASH'
This will output your hash, with prefix 2a, the correct prefix for Jenkins hashes.
Now, edit the config.xml file:
...
<passwordHash>#jbcrypt:REPLACE_THIS</passwordHash>
...
Once you insert the new hash, reset Jenkins:
(if you are on a system with systemd):
sudo systemctl restart Jenkins
You can now log in, and you didn't leave your system open for a second.

To disable Jenkins security in simple steps in Linux, run these commands:
sudo ex +g/useSecurity/d +g/authorizationStrategy/d -scwq /var/lib/jenkins/config.xml
sudo /etc/init.d/jenkins restart
It will remove useSecurity and authorizationStrategy lines from your config.xml root config file and restart your Jenkins.
See also: Disable security at Jenkins website
After gaining the access to Jenkins, you can re-enable security in your Configure Global Security page by choosing the Access Control/Security Realm. After than don't forget to create the admin user.

To reset it without disabling security if you're using matrix permissions (probably easily adaptable to other login methods):
In config.xml, set disableSignup to false.
Restart Jenkins.
Go to the Jenkins web page and sign up with a new user.
In config.xml, duplicate one of the <permission>hudson.model.Hudson.Administer:username</permission> lines and replace username with the new user.
If it's a private server, set disableSignup back to true in config.xml.
Restart Jenkins.
Go to the Jenkins web page and log in as the new user.
Reset the password of the original user.
Log in as the original user.
Optional cleanup:
Delete the new user.
Delete the temporary <permission> line in config.xml.
No securities were harmed during this answer.

On the offchance you accidentally lock yourself out of Jenkins due to a permission mistake, and you dont have server-side access to switch to the jenkins user or root... You can make a job in Jenkins and add this to the Shell Script:
sed -i 's/<useSecurity>true/<useSecurity>false/' ~/config.xml
Then click Build Now and restart Jenkins (or the server if you need to!)

\.jenkins\secrets\initialAdminPassword
Copy the password from the initialAdminPassword file and paste it into the Jenkins.

1 first check location if you install war or Linux or windows based on that
for example if war under Linux and for admin user
/home/"User_NAME"/.jenkins/users/admin/config.xml
go to this tag after #jbcrypt:
<passwordHash>#jbcrypt:$2a$10$3DzCGLQr2oYXtcot4o0rB.wYi5kth6e45tcPpRFsuYqzLZfn1pcWK</passwordHash>
change this password using use any website for bcrypt hash generator
https://www.dailycred.com/article/bcrypt-calculator
make sure it start with $2a cause this one jenkens uses

In order to remove the by default security for jenkins in Windows OS,
You can traverse through the file Config.xml created inside /users/{UserName}/.jenkins.
Inside this file you can change the code from
<useSecurity>true</useSecurity>
To,
<useSecurity>false</useSecurity>

step-1 : go to the directory cd .jenkins/secrets then you will get a 'initialAdminPassword'.
step-2 : nano initialAdminPassword
you will get a password

changing the <useSecurity>true</useSecurity> to <useSecurity>false</useSecurity> will not be enough, you should remove <authorizationStrategy> and <securityRealm> elements too and restart your jenkins server by doing sudo service jenkins restart .
remember this, set <usesecurity> to false only may cause a problem for you, since these instructions are mentioned in thier official documentation here.

Jenkins over KUBENETES and Docker
In case of Jenkins over a container managed by a Kubernetes POD is a bit more complex since: kubectl exec PODID --namespace=jenkins -it -- /bin/bash will you allow to access directly to the container running Jenkins, but you will not have root access, sudo, vi and many commands are not available and therefore a workaround is needed.
Use kubectl describe pod [...] to find the node running your Pod and the container ID (docker://...)
SSH into the node
run docker exec -ti -u root -- /bin/bash to access the container with Root privileges
apt-get update
sudo apt-get install vim
The second difference is that the Jenkins configuration file are placed in a different path that corresponds to the mounting point of the persistent volume, i.e. /var/jenkins_home, this location might change in the future, check it running df.
Then disable security - change true to false in /var/jenkins_home/jenkins/config.xml file.
<useSecurity>false</useSecurity>
Now it is enough to restart the Jenkins, action that will cause the container and the Pod to die, it will created again in some seconds with the configuration updated (and all the chance like vi, update erased) thanks to the persistent volume.
The whole solution has been tested on Google Kubernetes Engine.
UPDATE
Notice that you can as well run ps -aux the password in plain text is shown even without root access.
jenkins#jenkins-87c47bbb8-g87nw:/$ps -aux
[...]
jenkins [..] -jar /usr/share/jenkins/jenkins.war --argumentsRealm.passwd.jenkins=password --argumentsRealm.roles.jenkins=admin
[...]

Easy way out of this is to use the admin psw to login with your admin user:
Change to root user: sudo su -
Copy the password: xclip -sel clip < /var/lib/jenkins/secrets/initialAdminPassword
Login with admin and press ctrl + v on password input box.
Install xclip if you don't have it:
$ sudo apt-get install xclip

Using bcrypt you can solve this issue. Extending the #Reem answer for someone who is trying to automate the process using bash and python.
#!/bin/bash
pip install bcrypt
yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum -y install xmlstarlet
cat > /tmp/jenkinsHash.py <<EOF
import bcrypt
import sys
if not sys.argv[1]:
sys.exit(10)
plaintext_pwd=sys.argv[1]
encrypted_pwd=bcrypt.hashpw(sys.argv[1], bcrypt.gensalt(rounds=10, prefix=b"2a"))
isCorrect=bcrypt.checkpw(plaintext_pwd, encrypted_pwd)
if not isCorrect:
sys.exit(20);
print "{}".format(encrypted_pwd)
EOF
chmod +x /tmp/jenkinsHash.py
cd /var/lib/jenkins/users/admin*
pwd
while (( 1 )); do
echo "Waiting for Jenkins to generate admin user's config file ..."
if [[ -f "./config.xml" ]]; then
break
fi
sleep 10
done
echo "Admin config file created"
admin_password=$(python /tmp/jenkinsHash.py password 2>&1)
# Repalcing the new passowrd
xmlstarlet -q ed --inplace -u "/user/properties/hudson.security.HudsonPrivateSecurityRealm_-Details/passwordHash" -v '#jbcrypt:'"$admin_password" config.xml
# Restart
systemctl restart jenkins
sleep 10
I have kept password hardcoded here but it can be a user input depending upon the requirement. Also make sure to add that sleep otherwise any other command revolving around Jenkins will fail.

To very simply disable both security and the startup wizard, use the JAVA property:
-Djenkins.install.runSetupWizard=false
The nice thing about this is that you can use it in a Docker image such that your container will always start up immediately with no login screen:
# Dockerfile
FROM jenkins/jenkins:lts
ENV JAVA_OPTS -Djenkins.install.runSetupWizard=false
Note that, as mentioned by others, the Jenkins config.xml is in /var/jenkins_home in the image, but using sed to modify it from the Dockerfile fails, because (presumably) the config.xml doesn't exist until the server starts.

I will add some improvements based on the solution:
https://stackoverflow.com/a/51255443/5322871
On my scenario it was deployed with Swarm cluster with nfs volume, in order to perform the password reset I did the following:
Attach to the pod:
$ docker exec -it <pod-name> bash
Generate the hash password with python (do not forget to specify the letter b outside of your quoted password, the method hashpw requires a parameter in bytes):
$ pip install bcrypt
$ python
>>> import bcrypt
>>> bcrypt.hashpw(b"yourpassword", bcrypt.gensalt(rounds=10, prefix=b"2a"))
'YOUR_HASH'
Once inside the container find all the config.xml files:
$ find /var/ -type f -iname "config.xml"
Once identified, modify value of the field ( on my case the config.xml was in another location):
$ vim /var/jenkins_home/users/admin_9482805162890262115/config.xml
...
<passwordHash>#jbcrypt:YOUR_HASH</passwordHash>
...
Restart the service:
docker service scale <service-name>=0
docker service scale <service-name>=1
Hope this can be helpful for anybody.

I had a similar issue, and following reply from ArtB,
I found that my user didn't have the proper configurations. so what I did:
Note: manually modifying such XML files is risky. Do it at your own risk. Since I was already locked out, I didn't have much to lose. AFAIK Worst case I would have deleted the ~/.jenkins/config.xml file as prev post mentioned.
**> 1. ssh to the jenkins machine
cd ~/.jenkins (I guess that some installations put it under /var/lib/jenkins/config.xml, but not in my case )
vi config.xml, and under authorizationStrategy xml tag, add the below section (just used my username instead of "put-your-username")
restart jenkins. in my case as root service tomcat7 stop; ; service tomcat7 start
Try to login again. (worked for me)**
under
add:
<permission>hudson.model.Computer.Build:put-your-username</permission>
<permission>hudson.model.Computer.Configure:put-your-username</permission>
<permission>hudson.model.Computer.Connect:put-your-username</permission>
<permission>hudson.model.Computer.Create:put-your-username</permission>
<permission>hudson.model.Computer.Delete:put-your-username</permission>
<permission>hudson.model.Computer.Disconnect:put-your-username</permission>
<permission>hudson.model.Hudson.Administer:put-your-username</permission>
<permission>hudson.model.Hudson.ConfigureUpdateCenter:put-your-username</permission>
<permission>hudson.model.Hudson.Read:put-your-username</permission>
<permission>hudson.model.Hudson.RunScripts:put-your-username</permission>
<permission>hudson.model.Hudson.UploadPlugins:put-your-username</permission>
<permission>hudson.model.Item.Build:put-your-username</permission>
<permission>hudson.model.Item.Cancel:put-your-username</permission>
<permission>hudson.model.Item.Configure:put-your-username</permission>
<permission>hudson.model.Item.Create:put-your-username</permission>
<permission>hudson.model.Item.Delete:put-your-username</permission>
<permission>hudson.model.Item.Discover:put-your-username</permission>
<permission>hudson.model.Item.Read:put-your-username</permission>
<permission>hudson.model.Item.Workspace:put-your-username</permission>
<permission>hudson.model.Run.Delete:put-your-username</permission>
<permission>hudson.model.Run.Update:put-your-username</permission>
<permission>hudson.model.View.Configure:put-your-username</permission>
<permission>hudson.model.View.Create:put-your-username</permission>
<permission>hudson.model.View.Delete:put-your-username</permission>
<permission>hudson.model.View.Read:put-your-username</permission>
<permission>hudson.scm.SCM.Tag:put-your-username</permission>
Now, you can go to different directions. For example I had github oauth integration, so I could have tried to replace the authorizationStrategy with something like below:
Note:, It worked in my case because I had a specific github oauth plugin that was already configured. So it is more risky than the previous solution.
<authorizationStrategy class="org.jenkinsci.plugins.GithubAuthorizationStrategy" plugin="github-oauth#0.14">
<rootACL>
<organizationNameList class="linked-list">
<string></string>
</organizationNameList>
<adminUserNameList class="linked-list">
<string>put-your-username</string>
<string>username2</string>
<string>username3</string>
<string>username_4_etc_put_username_that_will_become_administrator</string>
</adminUserNameList>
<authenticatedUserReadPermission>true</authenticatedUserReadPermission>
<allowGithubWebHookPermission>false</allowGithubWebHookPermission>
<allowCcTrayPermission>false</allowCcTrayPermission>
<allowAnonymousReadPermission>false</allowAnonymousReadPermission>
</rootACL>
</authorizationStrategy>

Edit the file $JENKINS_HOME/config.xml and change de security configuration with this:
<authorizationStrategy class="hudson.security.AuthorizationStrategy$Unsecured"/>
After that restart Jenkins.

A lot of times you wont be having permissions to edit the config.xml file.
The simplest thing would be to take a back of config.xml and delete using sudo command.
Restart the jenkins using the command sudo /etc/init.d/jenkins restart
This will disable all the security in the Jenkins and the login option would disappear

For one who is using macOS, the new version just can be installed by homebrew. so for resting, this command line must be using:
brew services restart jenkins-lts

The directory where the file is located config.xml in windows
C:\Windows\System32\config\systemprofile\AppData\Local\Jenkins\.jenkins

Resources