A better way to protect backend login than using plaintext passwords with Bcrypt
This guide is best explained over on Lightning Codes (lc0des)
- Connect via ssh to your umbrel node. The user is umbrel the password is the one you use to login into the webfrontend.
- Linux:
ssh umbrel@<internal ip/external ip/tor-name>
This is how the structure of your umbrel node should look like if you run it on a raspi with the raspi image:
umbrel@umbrel:~ $ ls
umbrel
umbrel@umbrel:~ $ cd umbrel/
umbrel@umbrel:~/umbrel $ ls
LICENSE.md README.md SECURITY.md app-data apps bin bitcoin db docker-compose.yml electrs events info.json karen lnd logs nginx scripts statuses templates tor
umbrel@umbrel:~/umbrel $ id
uid=1000(umbrel) gid=1000(umbrel) groups=1000(umbrel),4(adm),20(dialout),24(cdrom),27(
For generating a new password you can use an online generator like this one or you use a simple python script
$ python thundercrypt.py -p securepassword
masterPassword: thunderhub-$2b$12$dysPVg6cRkoz0Qkq1EjMTu.iCXKOVSEybza8b8z3kxVlgyhLPpEW2
If the python library bcrypt is missing:
pip install bcrypt
Close the file with CTRL+X, Y and possible Carriage Return/Enter.
- Find ThunderHub container in docker
umbrel@umbrel:~/umbrel $ docker ps
Now we get a quick overview of whats going on.
ad488d7a9ceb shahanafarooqui/rtl:0.10.1 "/sbin/tini -g -- no…" 3 days ago Up 3 days 3000/tcp, 0.0.0.0:3001->3001/tcp ride-the-lightning_web_1
1d8bd7ab81ca louneskmt/loop:v0.12.1-beta "/bin/loopd --networ…" 3 days ago Up 3 days 8081/tcp, 11010/tcp ride-the-lightning_loop_1
ef244d3e2483 apotdevin/thunderhub:v0.12.14 "docker-entrypoint.s…" 4 days ago Up 4 days 0.0.0.0:3000->3000/tcp thunderhub_web_1
7902c05d3b86 mempool/frontend:v2.1.2 "/patch/entrypoint.s…" 4 days ago Up 4 days 80/tcp, 0.0.0.0:3006->3006/tcp mempool_web_1
7ace30a30c42 mariadb:10.5.8 "docker-entrypoint.s…" 4 days ago Up 4 days 3306/tcp mempool_mariadb_1
a53c3e3b2489 mempool/backend:v2.1.2 "docker-entrypoint.s…" 4 days ago Up 4 days 8999/tcp
Umbrel sorts all services in their own container, this is best practise.
umbrel@umbrel:~/umbrel $ docker ps|grep thunderhub
ef244d3e2483 apotdevin/thunderhub:v0.12.14 "docker-entrypoint.s…" 4 days ago Up 4 days 0.0.0.0:3000->3000/tcp thunderhub_web_1
We pick the first field (ef244d3e2483) as our id. With another docker command we can easily restart the container.
umbrel@umbrel:~/umbrel $ docker restart ef244d3e2483
ef244d3e2483
Lets check if it is really restarted:
ef244d3e2483 apotdevin/thunderhub:v0.12.14 "docker-entrypoint.s…" 4 days ago Up 34 seconds 0.0.0.0:3000->3000/tcp thunderhub_web_1
If everything worked, you can now access your thunderhub with the new password.
Notes from my own experience’s.
You may need to uninstall the App your changing the password on then reinstall AFTER you have made these changes to the *.config files/Restarted the Docker container, Then reinstall the app which would be now using the new password.
You do not need to worry about using this on umbrel apps which allow/ask you to setup a new password on install/setup.
Use with caution whenever your messing with the applications which includes uninstalling then reinstalling as you could lose your stuff…
Treat this as a specific work around for adding that peace of mind protection to some of the naked passwords used on Umbrel.
From what I have read from Umbrel devs they are actively working on a SSO security auth system for all the apps
All credits to:
Lightning Codes (lc0des)
Strongly suggest you go and read the full complete guide.