[GUIDE] Changing Umbrel Apps which uses hardcoded password (Guide from: lc0des)

A better way to protect backend login than using plaintext passwords with Bcrypt
This guide is best explained over on Lightning Codes (lc0des)

  1. Connect via ssh to your umbrel node. The user is umbrel the password is the one you use to login into the webfrontend.
  2. Linux:
ssh umbrel@<internal ip/external ip/tor-name>

This is how the structure of your umbrel node should look like if you run it on a raspi with the raspi image:

umbrel@umbrel:~ $ ls
umbrel@umbrel:~ $ cd umbrel/
umbrel@umbrel:~/umbrel $ ls
LICENSE.md  README.md  SECURITY.md  app-data  apps  bin  bitcoin  db  docker-compose.yml  electrs  events  info.json  karen  lnd  logs  nginx  scripts  statuses  templates  tor
umbrel@umbrel:~/umbrel $ id
uid=1000(umbrel) gid=1000(umbrel) groups=1000(umbrel),4(adm),20(dialout),24(cdrom),27(

For generating a new password you can use an online generator like this one or you use a simple python script

$ python thundercrypt.py -p securepassword
masterPassword: thunderhub-$2b$12$dysPVg6cRkoz0Qkq1EjMTu.iCXKOVSEybza8b8z3kxVlgyhLPpEW2

If the python library bcrypt is missing:

pip install bcrypt

Close the file with CTRL+X, Y and possible Carriage Return/Enter.

  1. Find ThunderHub container in docker
umbrel@umbrel:~/umbrel $ docker ps

Now we get a quick overview of whats going on.

ad488d7a9ceb   shahanafarooqui/rtl:0.10.1             "/sbin/tini -g -- no…"   3 days ago       Up 3 days       3000/tcp,>3001/tcp                                                                ride-the-lightning_web_1
1d8bd7ab81ca   louneskmt/loop:v0.12.1-beta            "/bin/loopd --networ…"   3 days ago       Up 3 days       8081/tcp, 11010/tcp                                                                             ride-the-lightning_loop_1
ef244d3e2483   apotdevin/thunderhub:v0.12.14          "docker-entrypoint.s…"   4 days ago       Up 4 days>3000/tcp                                                                          thunderhub_web_1
7902c05d3b86   mempool/frontend:v2.1.2                "/patch/entrypoint.s…"   4 days ago       Up 4 days       80/tcp,>3006/tcp                                                                  mempool_web_1
7ace30a30c42   mariadb:10.5.8                         "docker-entrypoint.s…"   4 days ago       Up 4 days       3306/tcp                                                                                        mempool_mariadb_1
a53c3e3b2489   mempool/backend:v2.1.2                 "docker-entrypoint.s…"   4 days ago       Up 4 days       8999/tcp                                                                             

Umbrel sorts all services in their own container, this is best practise.

umbrel@umbrel:~/umbrel $ docker ps|grep thunderhub
ef244d3e2483   apotdevin/thunderhub:v0.12.14 "docker-entrypoint.s…" 4 days ago Up 4 days>3000/tcp thunderhub_web_1

We pick the first field (ef244d3e2483) as our id. With another docker command we can easily restart the container.

umbrel@umbrel:~/umbrel $ docker restart ef244d3e2483

Lets check if it is really restarted:

ef244d3e2483   apotdevin/thunderhub:v0.12.14 "docker-entrypoint.s…"   4 days ago Up 34 seconds>3000/tcp thunderhub_web_1

If everything worked, you can now access your thunderhub with the new password.

Notes from my own experience’s.

You may need to uninstall the App your changing the password on then reinstall AFTER you have made these changes to the *.config files/Restarted the Docker container, Then reinstall the app which would be now using the new password.

You do not need to worry about using this on umbrel apps which allow/ask you to setup a new password on install/setup.

Use with caution whenever your messing with the applications which includes uninstalling then reinstalling as you could lose your stuff…

Treat this as a specific work around for adding that peace of mind protection to some of the naked passwords used on Umbrel.

From what I have read from Umbrel devs they are actively working on a SSO security auth system for all the apps

All credits to:
Lightning Codes (lc0des)
Strongly suggest you go and read the full complete guide.