Recover admin access from Password expiration
This document (000021089) is provided subject to the disclaimer at the end of this document.
Environment
NeuVector v5.0.0+
Situation
Implementing Password Profile can further secure the NeuVector deployment. One of the options is to "Deny Access after Password Expired". This feature will alert the user 10 days before the password is set to expire. Life can be unpredictable. Sometimes even the admin can forget to change the password and get locked out.
The below method can be used to restore access to the admin account.
The below method can be used to restore access to the admin account.
Resolution
1. Execute into one of the controller pods
kubectl exec -it <controller_pod> -n neuvector -- sh
2. Check if admin entry exists and save the output JSON somewhere for safekeeping. (If the entry does not exist, please stop and consult with NeuVector Support.)
consul kv get object/config/user/admin
3. Take the output from the above consul kv get command and save it in a txt file.
Example:{"fullname":"admin","username":"admin","password_hash":"c7ad44cbad762a5da0a452f9e854fdc1e0e7a52a38015f23f3eab1d80b931dd472634dfac71cd34ebc35d16ab7fb8a90c81f975113d6c7538dc69dd8de9077ec","pwd_reset_time":"2023-06-02T18:09:50.913312608Z","pwd_hash_history":null,"domain":"","server":"","email":"","role":"fedAdmin","role_oride":false,"timeout":3600,"locale":"en","role_domains":{},"last_login_at":"2023-06-02T23:42:33.089351572Z","login_count":63,"failed_login_count":0,"block_login_since":"0001-01-01T00:00:00Z"}
4. Extend the password expiration date by replacing the "pwd_reset_time" with today`s date.
Example (UPDATED JSON):{"fullname":"admin","username":"admin","password_hash":"c7ad44cbad762a5da0a452f9e854fdc1e0e7a52a38015f23f3eab1d80b931dd472634dfac71cd34ebc35d16ab7fb8a90c81f975113d6c7538dc69dd8de9077ec","pwd_reset_time":"2023-09-21T18:09:50.913312608Z","pwd_hash_history":null,"domain":"","server":"","email":"","role":"fedAdmin","role_oride":false,"timeout":3600,"locale":"en","role_domains":{},"last_login_at":"2023-06-02T23:42:33.089351572Z","login_count":63,"failed_login_count":0,"block_login_since":"0001-01-01T00:00:00Z"}
5. Execute the command below to update the expiration date by using the updated json.
consul kv put object/config/user/admin '<UPDATED JSON>'
Example:
consul kv put object/config/user/admin '{"fullname":"admin","username":"admin","password_hash":"c7ad44cbad762a5da0a452f9e854fdc1e0e7a52a38015f23f3eab1d80b931dd472634dfac71cd34ebc35d16ab7fb8a90c81f975113d6c7538dc69dd8de9077ec","pwd_reset_time":"2023-09-21T18:09:50.913312608Z","pwd_hash_history":null,"domain":"","server":"","email":"","role":"fedAdmin","role_oride":false,"timeout":3600,"locale":"en","role_domains":{},"last_login_at":"2023-06-02T23:42:33.089351572Z","login_count":63,"failed_login_count":0,"block_login_since":"0001-01-01T00:00:00Z"}'
6. The below message gets returned upon successful update.
Success! Data written to: object/config/user/admin
7. Login as admin and change the password before expiration
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000021089
- Creation Date: 03-Jun-2023
- Modified Date:21-Sep-2023
-
- SUSE NeuVector
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
