- Tom Kopchak
- May 24, 2018
- Tested on Splunk Version: N/A
Forgetting the credentials of a product you're using can be a real a problem. This tutorial will help you if you've locked yourself out of your Splunk instance and you're looking for a way to regain access by resetting your account.
We’ve all been there and done it - forgetting or otherwise losing access to the administrative credentials of a product we’re using. Whatever the reason, sometimes you’re in a situation where you need to reset this type of account on a system. If this application is Splunk, you’re in the right place.
(Note: these steps assume that you have access to the operating system/file system of the system running Splunk as the user running Splunk or the root user. If you do not have this level of access, you will need to be able to access the operating system before you perform password recovery on the Splunk software itself).
In versions of Splunk preceding 7.1 (versions 7.0.x, 6.6.x, and earlier), resetting the admin password was rather trivial. It would look something like this:
With the introduction of Splunk 7.1, the default admin/changeme account has been removed. This means that this method of password recovery no longer works. If you attempt to restart a 7.1 install without a passwd file, you will be greeted with the following message in SplunkWeb when trying to log in:
Of course, it’s rather difficult to make a user using the traditional methods of creating one (the splunk add user command or by adding on through the webui) if you do not have a working one. Fortunately, even in Splunk 7.1, all hope is not lost.
There are two approaches that will work in this case: resetting the password hash to a known one or using user-seed.conf. Let’s explore both options.
Splunk passwords are stored in a hashed form in $SPLUNK_HOME/etc/passwd. This file uses the same format as the /etc/passwd file you would find on any typical Linux system. However, the hashed passwords for Splunk are stored directly in the passwd file as opposed to in an equivalent to the /etc/shadow file.
A sample Splunk passwd file would look something like this:
splunk@hostname:/opt/splunk/etc# cat passwd :admin:$6$s0CKRhvSS6CSGsA3$Auyk5ZB67F6B44gdaHELjR0Xe0SqYpg5fbfLnchxrneuW2jj/dsqboNffawxtWj0vCjp8syTvrVXksueRRHcD1::Administrator:admin:firstname.lastname@example.org:::17674 :tom:$6$H9WxryJqDJMAaxjW$JbQUK8VTRZw4UdUu65MLou4GEEHrUgovksy121xQWTEieRf/KoKqinExsvdLkTWgjFw61jAGIXsh6p2KVzOSP.::Tom:user::::17674
In this example, there are two Splunk users:
Let’s say that we don’t know the password for the admin user, but don’t want to break Tom’s access. We’ll handle this by updating the password hash in the passwd file for the admin user.
Here’s how you do this:
apt install whois
Fortunately, the error message was self-explanatory:
# mkpasswd The program 'mkpasswd' is currently not installed. You can install it by typing: apt install whois
# mkpasswd -m sha-512 Password: $6$yzIST1aK$LVDaqom/YrwjuIwu4z158FYhPYnoPG3uOyJ83SmNgoJjrYc1ubYpNvI1vnCBv7g8MPVz.W.nwy7VLNwBRWsuY0
Note: if you run the mkpasswd command multiple times, you will get different output even if you use the same password. For example, both the hash above and the following are password hashes for the legacy Splunk default password, “changeme”.
The password hashes used are portable, so you don’t even need to generate the password hash - in a pinch, the hashes on this page should work for resetting your password to changeme.
In Splunk 6.5, the user-seed.conf file was added to Splunk docs as a mechanism for specifying the default credentials for a new Splunk installation. This file is only relevant when $SPLUNK_HOME/etc/passwd is not present, so using it will be similar to the legacy password recovery method of moving the passwd file, restarting Splunk, and logging in with admin/changeme.
Note: user-seed.conf enforces password complexity rules. If you use a simple password (such as changeme), the password will not be set by this method (unless you use a password hash instead).
To reset the password using this method, follow these steps:
# mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak
# cat $SPLUNK_HOME/etc/system/local/user-seed.conf [user_info] USERNAME = admin PASSWORD = I<3bigDATA <OR> HASHED_PASSWORD = $6$jGVSWgEXnuSm$7twqk8X2viWSSESevnFtE3MBqpE7kKhPOo2p8Ee261E2VcZxNH6rIp3N4JDlBgstZf/Tv6ADgGrQpKLEFTyeT1
Note: If you want to use a password hash, generate one using the mkpasswd method above.
# cat $SPLUNK_HOME/etc/passwd :admin:$6$ZErE6BICFIv.SpPi$gMJaTh4Qb1jg/YMkRtpob6x9VyFvomOXkJLI4KzwqJnxuEANS3ZpBlGIlZkKwRuNBZ10Edh6EFw.vAboKEuQU/::Administrator:admin:email@example.com:::17674
# cat /opt/splunk/etc/system/local/user-seed.conf cat: /opt/splunk/etc/system/local/user-seed.conf: No such file or directory
Hopefully these steps will be able to help you out if you ever lock yourself out of your Splunk instance and forget the keys, or need to take over management of a Splunk instance where no one has administrative credentials. Happy Splunking!
If you're looking for something different than the typical "one-size-fits-all" security mentality, you've come to the right place.