5.6 Resetting user passwords

Currently there is no dedicated functionality in MetaDefender ICAP Server's Web Management Console to reset user passwords. Workarounds exist, however.

Admin account

Prerequisites

The workaround requires the following:

  • Shell access to the MetaDefender ICAP Server

  • Read/write access to the configuration database (tipically /var/lib/mdicapsrv/config.db.sqlite on Linux and C:\Program Files\OPSWAT\Metadefender ICAP Server\data\config.db.sqlite on Windows)

  • An SQLite client application (e.g. sqlite3 from https://www.sqlite.org/download.html) installed locally on the server

  • A utility to calculate SHA-256 hash values (e.g. sha256sum on Linux and CertUtil on Windows) installed locally on the server

    Do not use online tools to calculate the hash value as it would result in the disclosure of the clear text password.

Password reset steps

Do not use the password, salt and hash values of the examples below in a production environment.

  1. Stop MetaDefender ICAP Server

  2. Connect to the database

    Connect as a user that has read and write permissions on the database (tipically root on Linux and Administrator on Windows). Using unprivileged accounts may give unexpected results.

    Linux example (sqlite3)
    # sqlite3 /var/lib/mdicapsrv/config.db.sqlite
    Windows example (sqlite3)
    > sqlite3.exe "C:\Program Files\OPSWAT\Metadefender ICAP Server\data\config.db.sqlite"
  3. Query the settings of the admin user

    Example (sqlite3)
    sqlite> SELECT settings FROM users WHERE name="admin";
  4. Save the result settings string for later use

    Example
    {"email":"admin@localhost","password":"f7fe7874618b3468c262698bb46fd499421b38026a42c7ae0504c0cd8a097360","salt":"2ad530aa56844126860783e93552ccba"}
  5. Take the salt part from the settings string (2ad530aa56844126860783e93552ccba in the example above) and append it with the new password (NewPassword123 in the examples below)

    Example
    2ad530aa56844126860783e93552ccbaNewPassword123
  6. Calculate the hash of the salted new password

    Linux example
    $ echo 2ad530aa56844126860783e93552ccbaNewPassword123 | sha256sum -
    ece2b0dd63f31a6571c083742305a219d36143af3f60660f21677263fe57c96a -
    Windows example
    > copy con saltedpassword.txt
     
    2ad530aa56844126860783e93552ccbaNewPassword123^Z
     
    1 file(s) copied.
     
     
    > powershell get-filehash -algorithm sha256 saltedpassword.txt
     
    Algorithm Hash Path
    --------- ---- ----
    SHA256 ECE2B0DD63F31A6571C083742305A219D36143AF3F60660F21677263FE57C96A C:\saltedpassword.txt
  7. The result is the salted hash value of the new password

    Example
    ece2b0dd63f31a6571c083742305a219d36143af3f60660f21677263fe57c96a
  8. Replace the password part in the settings string with the salted hash value of the new password

    Example
    {"email":"admin@localhost","password":"ece2b0dd63f31a6571c083742305a219d36143af3f60660f21677263fe57c96a","salt":"2ad530aa56844126860783e93552ccba"}
  9. Update the database and set the new settings value for the user

    Do not use the password and salt values of the example below in a production environment!

    Example (sqlite3)
    sqlite> UPDATE users SET settings='{"email":"admin@localhost","password":"ece2b0dd63f31a6571c083742305a219d36143af3f60660f21677263fe57c96a","salt":"2ad530aa56844126860783e93552ccba"}' WHERE name = "admin";
  10. Quit the SQLite client and start MetaDefender ICAP Server

General accounts

The above workaround works for any kind of accounts. Due to its complexity it is, however, not recommended for any other accounts but admin.

For general unprivileged accounts it is much simpler to delete then re-create the account.