I’ve setup Vaultwarden to use Bitwarden from my self hosted Synology NAS, using Portainer via the guide provided here: https://mariushosting.com/synology-install-vaultwarden-with-portainer/
It’s been working flawlessly. I now wanted to create a new user and thefore needed to enter the Vaultwarden admin panel. I entered the admin token that I have stored, but it is nog being accepted. Following the suggestions here on the forum, I checked the config.json file that was stored in the vaultwarden\data folder. On the line that says “admin token” the samen token is mentioned (The line looks like this: “admin_token”: “$argon2id_my_token_xxxxxxx”) as I tried. It therefore seems I’m using the correct one. I have also tried adding " and ’ to the start and end of the token when entering it in the admin portal, but that didn’t work either. I restared the container from Portainer, but still it doesn’t work. Should I change something in the config.json file with the " at the start and end of the token?
This is what I read in the logs:
[INFO] Using saved config from data/config.json for configuration.
[WARNING] The following environment variables are being overridden by the config.json file.
[WARNING] Please use the admin panel to make changes to them:
[WARNING] DOMAIN, ADMIN_TOKEN, SMTP_HOST, SMTP_SECURITY, SMTP_PORT, SMTP_FROM, SMTP_USERNAME, SMTP_PASSWORD
I would like to access the Vaultwarden admin page again and as I’ve used the above instructions from the website, I have no clue on how to solve this. I have no linux knowledge, so would greatly appreciate a step by step way to solve this.
Did you hash the password as mentioned in step 32 of the Marius hosting guide? Then don’t use the hash of the password to login but the unhashed version of the password.
If you see a human readable password you didn’t hash the password. Follow step 32 and further.
If I remember well you also can edit the admin password in the JSON file directly. Open portainer, select containers, klik on vaultwarden and then on the edit symbol 1st icon. You scroll down to the word admin_token and past the hash of the new password. Also check first that disable_admin_token is false !!!
Thanks Pelgrim. I believe I did follow the steps from Marius hosting guide exactly. Therefore I also have an unhashed version of the password, but that doesn’t work either. This unhashed version can be found in Portainer indeed, when I edit the Vaultwarden container. The disable_admin_token is set to “false” also. So I’m a bit confused, as both the hashed and unhashed version can be found in the JSON, but do not give access.
I have repeated step 14 in Marius hosting guide with the same unhashed password to generate a new hashed one. This password is completely different than the hashed password I have noted down during installation and is completely different than the one I can see in the config.json. Am I correct in thinking that the hashed one should always be the same if I use the same unhashed one? If so, it means that my hashed and unhashed passwords don’t match. How would I solve this? Would I just alter it in the config.json file?
Hello mailman
Yes you’re correct, hashing the same password will give the same hash. So you hash your password and put the hash in the admin_token line. Save the config and open the admin website by using the unhashed password.
I’ve just tried creating a hash with the same unhashed password and received a hashed password. Just to double check, I did the same again to see if I get the same hashed password, but it is totally different the second time and third time. It seems as if there is another variable than just my unhashed password. Could that be the case? Now I do not know which hashed password to use, as it is different every time.
I will check it today. To see what is happening with my install. Did you use the hashing via the mariushosting guide or an other methode.
I used the hashing via the Marius hosting guide steps. Thanks for checking
Hello Mailman,
I am back, and it is easier then I thought. The vaultwarden hash is indeed changing every time. This is because it is not exactly a hash, but a token. This is why it is different every time you create one. And every created hash token is valid.
So to the final steps to get admin acces again:
- goto your portainer website, click local, containers, vaultwarden. Stop the container
- On your Synology, open file station, go-to docker, vaultwarden, data directory (or where you put vaultwarden files), make a copy of the config.json as backup, edit original config.json admin_token with a plain password of 32 characters between the quotes, save file and exit editor.
- Start the container in portainer website
- Goto vaultwarden admin, and enter the 32 char password. You have access now.
- Follow now step 29 and further to change the password to a secure token hash in the admin website.
- Done
Good luck
Ps all created tokens hashes of the same plain password are valid and can be used as admin_token string, to login. I tried it by creating 4 token hashes and put then as admin_token and could login with the same plain password
Hi Pelgrim, you totally saved my day! Thanks a lot for checking this on your own system. It has solved my issue.
Hello Mailman,
No problem, glad I could help. I did learn also more about the admin_token. Advice keep your password and token in a save place, in case of.
You are correct that using argon2id produces different “hash” each time despite using the same password. That is the cool thing about that tool unlike sha256 or blake2 which makes it practically impossible to break.
1 Like