Solution: Reseting the admin password in eZ publish

From: kracker,xavier

Tags: Security, Admin, Password, Reset, Solution

Question: I forgot my admin password or (insert other problem description here) and I can’t login to eZ publish admin, how can I reset the admin password?

Answers and Solutions

Answer #1

To generate your new password hash under mysql you can run this command. This is the most direct way of solving this problem. I reference this sql shortcut frequently.

SET @key = 'publish';
SET @username = 'admin';
SET @del = '\n';
SET @hash = MD5(CONCAT(@username,@del,@key));
UPDATE ezuser SET password_hash=@hash WHERE login=@username;

Answer #2

To generate your new password hash under linux, you can run:

echo -n -e "admin\npublish" | md5sum

The result is:

c78e3b0f3d9244ed8c6d1c29464bdff9

To do this for another user, replace admin with the login, and publish with the wanted password.

This requires HashType in site.ini to be md5_user.

This is the normal setting, so if you don’t know you changed it, this will work just fine.

Answer #3

Update the password_hash field in your eZ publish database table ezuser for the record `admin` user (login). By replacing the password_hash with the default hash as provided by the setup wizard for the password text `publish`.

I’ve done this several times to solve this problem.

The default hash for the admin password is kinda hidden in the file: ' ezpublish/share/db_data.dba'

For me the default hash was this string for the password 'publish'.

c78e3b0f3d9244ed8c6d1c29464bdff9

This hash when used as the `admin` user’s password hash will reset the password to `publish` without the quotes.

Example sql to do this:

UPDATE ezuser SET password_hash='c78e3b0f3d9244ed8c6d1c29464bdff9' WHERE login='admin';

Answer #4

Rerun the setup wizard by editing your site.ini.append(.php) and ensure that this line is set.

# Set to true if you want the setup system to be activated
 
CheckValidity=true

Answer #5

Temporarily disable the validation check on the password. It means that anyone can login on every account simply putting any random password.

1) Edit the file ' kernel/classes/datatypes/ezuser/ezuser.php'

2) Search for the function ' authenticateHash' (Line 1083 on eZ publish, 3.7)

3) Add this first line:

return true; // no matter what, consider the password valid

Then login as 'admin', change your password, write it down on a post it and put in on your monitor :)

Most security expects frown on the last point ;)

Answer #6

mysql -u USERNAME -p DATABASE
UPDATE ezuser SET password_hash = MD5("admin\nPASSWORD") WHERE login LIKE "admin";

Resetting Administration Password in eZ publish

1. Login via shell, console, ssh, ...
2. Backup your eZ publish database to sql file (Best Practice)
3. Connect to your eZ publish Database.
4. Run this sql line to reset password of admin user

UPDATE ezuser SET password_hash='c78e3b0f3d9244ed8c6d1c29464bdff9' WHERE login='admin';

5. Clear Cache (Optional)

References