Hello,
I want to change my Admin-Token to a argon2 hashed one. But I cant get it working. I receive “Error: Invalid admin token, please try again.” when I try to log in on the admin page.
I have done the following:
/usr/bin/docker run -u 1000:1000 -d --name vaultwarden_latest
-v /bw-data/:/data/
-p 8083:8083
-e ADMIN_TOKEN=$argon2id$v=19$m=65540,t=3,p=–deleted--
…
I tried also the one with the double $ (sed command).
What am I doing wrong?
If you pass it via the command line you should use ' around the value of the ADMIN_TOKEN (as it is returned by the new vaultwarden hash command) otherwise your shell will interpret $argon2id, $v, $m, … as variables and replace the value with nothing sensible. E.g.
ADMIN_TOKEN='$argon2id$v=19$m=65540,t=3,p=4$YDPQu4sf8Qcr0HGxgcEOvzGqFNBxkj//1gJvETFXtrI$NvWaRfFBIwIPXoVepP6WA38zq6vLwG8Ncfo8/lLqSdE'
The $$ is only needed for preventing variable interpolation when setting the value directly in docker-compose.yml.
Okay, its working now. Thanks.
I thought I already tried that. Mmmh maybe with $$.
And just so I’m clear, once I have set the argon2 token correctly, then I should enter just the password I used to create the token into the prompt on the admin page, right?
Yes that is correct.
Hello, using a plain text ADMIN_TOKEN which is insecure, Then modify “ADMIN_TOKEN” in the management panel. Can this ensure the security of “ADMIN_TOKEN”?
Please generate a secure Argon2 PHC string by using “vaultwarden hash” or “argon2”.-----This is a bit complicated for me, I’m not very good at using command line operations yet.
There is a nice link to a wiki article which explains it in more detail.
Follow that and you should be fine.
Is it forced to work only with m=65540?
In my case the parameter for argon2 -k 65540 does not exist int the cli and I replaced it with -m 16 (2^16 = 65536).
It does not work in my case.
Any ideas?
Thx for helping out!
argon2 commands:
argon2
Usage: argon2 [-h] salt [-i|-d|-id] [-t iterations] [-m memory] [-p parallelism] [-l hash length] [-e|-r]
Password is read from stdin
Parameters:
salt The salt to use, at least 8 characters
-i Use Argon2i (this is the default)
-d Use Argon2d instead of Argon2i
-id Use Argon2id instead of Argon2i
-t N Sets the number of iterations to N (default = 3)
-m N Sets the memory usage of 2^N KiB (default 12)
-p N Sets parallelism to N threads (default 1)
-l N Sets hash output length to N bytes (default 32)
-e Output only encoded hash
-r Output only the raw bytes of the hash
-h Print argon2 usage
No. Where did you get that idea?
That’s not enough information. What does not work? What parameters are you passing? If you can’t get it to work with argon2 because of an old version, try the vaultwarden hash method which should work regardless.
Also make sure you set the variable correctly (which depends on how you configured the settings, e.g. with single quotes or by escaping the variable sigil).
sorry i was too unclear there.
I did the steps provided here: Enabling admin page · dani-garcia/vaultwarden Wiki · GitHub
I’m using vault warden version 1.28.1
I removed previous admin token from config.json and did following:
Hence my password is “my_password”
echo -n "my_password" | argon2 "$(openssl rand -base64 32)" -e -id -m 16 -t 3 -p 4
=> $argon2id$v=19$m=65536,t=3,p=4$TkxKS...
I copied the output to my .env called ADMIN_TOKEN via ADMIN_TOKEN='$argon2id$v=19$m=65536,t=3,p=4$TkxKS...' and added it to docker-compose.yaml with the same key
environment:
- ADMIN_TOKEN=${ADMIN_TOKEN}
=> docker-compose up -d
I expected to be able to login via “my_password” but it didn’t work
Did I forget something?
Do you have a config.json in your data folder? That will override all env variables. Either remove that file, but make sure all settings are correct in the compose file compared to the config file.
I have a config.json, that is right.
That means I put all my settings to .env and include it in docker-compose.yaml?
I thought it is sufficient to remove the „admin_token“ key from config.json?
Your config.json overwrites the values that you have set in your docker env.
Means removing the config.json and restart container and it should work?
Does not work in my case.
ADMIN_TOKEN='$argon2id$v=19$m=65536,t=3,p=4$bmJ...' to .env
- ADMIN_TOKEN=${ADMIN_TOKEN} to docker-compose.yaml under environment
docker-compose up -d
What doesn’t work? What are the errors you get?
That’s my problem. I don’t have errors. I only can’t login to the admin page because of wrong token: „ Error: Invalid admin token, please try again.“
If you copy the full string '$argon2id$v=19$m=65536,t=3,p=4$bmJ...' and use that as your admin password, does that log you in? That is the issue I am having as described here.
Yes it does work with ‘$argon…’.
Only $argon… does not work
What are you trying to do?
Login using $argon2.... inn the password field during login?
If that is the case that would be stupid. It would be the exact same as a plain text password in that case.
You need to use the password you provided to generate that string.
I agree that this is not the desired outcome, but it is also the behavior I have been experiencing. I have not been able to get the admin token to properly be set to A2id. I think bergmast and I are having the same issue. Here is my config (no config.json exists)
.env file
VAULTWARDEN_ADMIN_TOKEN='$argon2id$v=19$m=65540,t=3,p=...'
docker-compose
vaultwarden:
container_name: Vaultwarden
image: vaultwarden/server:latest
restart: always
volumes:
- $USERDIR/docker/vaultwarden/Data:/data/
- $USERDIR/docker/vaultwarden/SSL:/ssl/
- $USERDIR/docker/vaultwarden/Logs:/logs/
- /etc/localtime:/etc/localtime:ro
networks:
- t2_proxy
dns:
- "1.1.1.1"
ports:
- "$VAULTWARDEN_PORT:8089"
- "$VAULTWARDEN_WEBSOCKET_PORT:3012"
user: $PUID:$PGID
environment:
- LOG_FILE=/logs/vaultwarden.log
- LOG_LEVEL=info
- ADMIN_TOKEN=$VAULTWARDEN_ADMIN_TOKEN
- WEBSOCKET_ENABLED=true
- ORG_EVENTS_ENABLED=true
- EVENTS_DAYS_RETAIN=120
- PASSWORD_ITERATIONS=2000000
- DOMAIN=https://vaultw.$DOMAINNAME
- ROCKET_PORT=8089
- SMTP_HOST=$SMTP_HOST
- SMTP_FROM=$SMTP_FROM
- SMTP_FROM_NAME=$SMTP_FROM_NAME
- SMTP_SECURITY=$SMTP_SECURITY
- SMTP_PORT=$SMTP_PORT
- SMTP_USERNAME=$SMTP_USERNAME
- SMTP_PASSWORD=$SMTP_PASSWORD
- SMTP_TIMEOUT=$SMTP_TIMEOUT
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.vaultwarden-rtr.entrypoints=https"
- "traefik.http.routers.vaultwarden-websocket.entrypoints=https"
- "traefik.http.routers.vaultwarden-admin.entrypoints=https"
- "traefik.http.routers.vaultwarden-rtr.rule=Host(`vaultw.$DOMAINNAME`)"
- "traefik.http.routers.vaultwarden-websocket.rule=Host(`vaultw.$DOMAINNAME`) && Path(`/notifications/hub`)"
- "traefik.http.routers.vaultwarden-admin.rule=Host(`vaultw.$DOMAINNAME`) && PathPrefix(`/admin`)"
## Middlewares
- "traefik.http.routers.vaultwarden-admin.middlewares=chain-authelia@file" # Authelia for Admin
- "traefik.http.routers.vaultwarden-rtr.middlewares=chain-no-auth@file" #No auth for dashboard
- "traefik.http.routers.vaultwarden-websocket.middlewares=chain-no-auth@file" #No auth for websocket
## HTTP Services
- "traefik.http.routers.vaultwarden-rtr.service=vaultwarden-svc"
- "traefik.http.routers.vaultwarden-websocket.service=vaultwarden-websocket-svc"
- "traefik.http.routers.vaultwarden-admin.service=vaultwarden-admin-svc"
- "traefik.http.services.vaultwarden-svc.loadbalancer.server.port=8089"
- "traefik.http.services.vaultwarden-admin-svc.loadbalancer.server.port=8089"
- "traefik.http.services.vaultwarden-websocket-svc.loadbalancer.server.port=3012"