BloodHound icon indicating copy to clipboard operation
BloodHound copied to clipboard
verified publisher icon SpecterOps

Add instructions for allow BHCE deployment WITHOUT forcing admin password change

Open 7MinSec opened this issue 7 months ago • 6 comments

Hello,

I learned a wonderful tidbit in your Slack about how BHCE could be deployed without forcing an admin password change (handy when you're going to run tools/queries against a BH instance on a headless system).

If you run this:

./bloodhound-cli config set default_admin.expire_now False

And then run a fresh BHCE deployment, you're good to go! Here's the full chat context if it helps:

Image

This would be great to add to your documentation please!

7MinSec avatar Jun 12 '25 14:06 7MinSec

Just to note for future discussion: this was intentionally left undocumented due to it and setting a default password directly being security concerns. I think it's come up enough times to warrant proper documentation, but we will want to make sure the documentation gives appropriate warnings for these more sensitive fields. There are valid use cases for automated deployments, but I want us to be up front about the potential risks if they're going to be more user facing.

superlinkx avatar Jun 12 '25 19:06 superlinkx

It could be nice to have the bloodhound-cli tool packages within the BloodHound docker image in order to have this low-level control on the application at runtime. What do you think ? Is it worth an issue ?

3isenHeiM avatar Jun 16 '25 13:06 3isenHeiM

bloodhound-cli was primarily designed as a wrapper around the docker image. Ultimately, it's just modifying config/env vars to toggle functionality in the container before starting the container. Modifying these parameters while the application is running isn't really possible, since the application only checks config file/env vars at startup

superlinkx avatar Jun 16 '25 17:06 superlinkx

Fair enough ;)

Is it possible to put this variable inside an env var ? Something like bhe_default_admin_expire_now=false ? I don't see any docs on env vars...

For now, I'm able to achieve this by bind-mounting (read-only) the bloodhound.config.json file with this content

  "default_admin": {
    "expire_now": false
  }

3isenHeiM avatar Jun 18 '25 11:06 3isenHeiM

You should be able to set it with that env var. There's some documentation here on the wiki for how to format env vars, and all config options are parsed from env vars as long as they're formatted correctly

superlinkx avatar Jun 23 '25 14:06 superlinkx

For posterity, here is the link to the doc.

The variable to set in the compose file is

      - bhe_default_admin_expire_now=${bhe_default_admin_expire_now}

And in the .env

bhe_default_admin_expire_now=false

3isenHeiM avatar Jun 25 '25 13:06 3isenHeiM