nilsteampassnet
An existing user suddenly can't view any passwords
We have been using TeamPass version 3.1.4.31 for some time now without issue. Today, one user reported that they can't view any passwords (it worked fine yesterday). Nothing has changed. The error seen is:
"It seems your password has changed and Teampass requires it to encrypt your master private key."
even though their password hasn't changed.
We use oAuth2 with Entra ID, so no local authentication or LDAP. They tried regenerating new keys and it didn't help. I deleted their account and added them back in (waited for the tasks to complete) and now they are constantly asked for their old password, which is always rejected. They can click past it but still can't view any passwords.
How do we fix this for the user?
Hello @DaveWebb2 Have you find something ? I'm facing the same kind of issue for a couple of users.
While digging that, I noticed that impacted users have no or few generated shared key. I don't think the issue is linked on how you login Teampass (Entra, AD or local).
No, I have no solution yet. Was it working fine for your user and then suddenly stopped working?
Yes, it was working fine before, but not anymore. Users are losing the share keys linked to items. This seems to happen after they regenerate their personal key (a window pops up asking for the old and current password; we couldn’t close it without generating a new personal key).
When I look in the database, I see large differences in the number of share keys between users who have the same access/role.
That doesn't seem to be the case for me:
After deleting and creating the user again they constant;y see this message:
"We need to generate the keys database for your account. Please provide your encryption code."
However, nothing seems to work, it always says bad code even though the user enters the correct code.
I notice in the teampass_users table that there is no key_tempo value for this user, not what that does or if it is relevent?
I have set the otp_provided value to 1 for this user and they can now get past the key error message but still can't see any passwords.
@nilsteampassnet are you able to advice please? This is affecting us in production.
After deleting and creating the user again they constant;y see this message:
"We need to generate the keys database for your account. Please provide your encryption code."
However, nothing seems to work, it always says bad code even though the user enters the correct code.
I notice in the teampass_users table that there is no key_tempo value for this user, not what that does or if it is relevent?
That's what I found - details here : https://github.com/nilsteampassnet/TeamPass/issues/4880 - only working workaround is to generate from user account not with your admin account. Maybe your solution to set value 1 to otp_provided permit to not lose the shared keys - Don't know.
This hasn't worked for us, we tried generating new keys as an admin and the user, they still can't see any passwords.
@DaveWebb2 @guerricv could you have a change to test the proposed fix?
Hello @nilsteampassnet,
Thanks for your prompt return.
I'm currently testing your fix on a veeam surebackup.
- the key tempo is now working fine and is accepted for a new user or an existing one
- Unfortunately we still have no or not enough sharekeys for items :
for example : MariaDB [teampassdb]> SELECT u.id, u.login, COALESCE(sk.nb_sharekeys,0) AS nb_sharekeys -> FROM teampass_users u -> LEFT JOIN ( ) AS n -> SELECT user_id, COUNT(*) AS nb_sharekeys -> FROM teampass_sharekeys_items -> GROUP BY user_id -> ) sk ON sk.user_id = u.id -> WHERE u.id IN (10000166,10000165,10000092, 10000157, 10000033) -> ORDER BY u.login; +----------+-----------------+--------------+ | id | login | nb_sharekeys | +----------+-----------------+--------------+ | 10000166 | xxxxxxxxxxxxxxxxx | 2 | => new user (should have around 9200 sharedkeys) | 10000157 | xxxxxxxxxxxxxxxxx | 26 | => existing user (should have around 9200 sharedkeys) | 10000033 | xxxxxxxxxxxxxxxxx | 9200 | => existing user with no problem | 10000165 | xxxxxxxxxxxxxxxxx | 2 | => existing user (should have around 9200 sharedkeys) | 10000092 | xxxxxxxxxxxxxxxxx | 12 | => existing user (should have around 9200 sharedkeys) +----------+-----------------+--------------+ 5 rows in set (2.745 sec)
If necessary, I can provide access to my test environment.
@nilsteampassnet thank you for looking into this quickly. I have uploaded the 5 changed files and the user has reported that the new OTP was accepted, so that part seems to be resolved. However, they are still unable to view any passwords. They see this message for all items:
It seems your password has changed and Teampass requires it to encrypt your master private key
All users log in using oAuth with Microsoft Entra, so not sure why it cares about the password changing, even though the user hasn't changed their AD/Entra password.
Thanks for the feedback. So the issue itself is solved but it has corrupted the share keys. That's why your users don't see the password items. We need to regenerate the masterkeys. One tool exists but as it is quite sensitive it is not enabled and a change is requested in the code. I currently not have access to my environment so I can't provide the process just now. Will do this evening. Otherwise you can use a backup looking for the share keys of user_id 9999997. If I'm not wrong, you should just have a few of them in sharekey_items table. You can import the missing ones from the backup.
@nilsteampassnet I succeed on a surebackup to import the missing keys.
What I did :
-
Applied the fix you provided to production.
-
Export from backup with ;
mysqldump --no-create-info --skip-triggers --compact
-u root -p teampassdb teampass_sharekeys_items
--where="user_id=9999997" > /tmp/tp_sharekeys_9999997.sql
- Import with :
- Temp Table
sudo mysql -e "DROP TABLE IF EXISTS teampassdb.tmp_tp9999997; CREATE TABLE teampassdb.tmp_tp9999997 LIKE teampassdb.teampass_sharekeys_items;"
- Duplicate the dump and replace the table name with the temp table
cp /home/guerric/tp_sharekeys_9999997.sql /home/guerric/tp_sharekeys_9999997_for_tmp.sql sed -i 's/
teampass_sharekeys_items/tmp_tp9999997/g' /home/guerric/tp_sharekeys_9999997_for_tmp.sql
- Import into the temp table
sudo mysql teampassdb < /home/guerric/tp_sharekeys_9999997_for_tmp.sql
- Check the dump loaded keys for ID 9999997
sudo mysql -D teampassdb -e "SELECT COUNT(*) AS cnt FROM tmp_tp9999997 WHERE user_id=9999997;"
- If count (cnt) > 0, replace the current entries with those from the dump
sudo mysql -D teampassdb -e " START TRANSACTION; DELETE FROM teampass_sharekeys_items WHERE user_id=9999997; INSERT INTO teampass_sharekeys_items (object_id, user_id, share_key) SELECT object_id, user_id, share_key FROM tmp_tp9999997 WHERE user_id=9999997; COMMIT;"
- Final check
sudo mysql -D teampassdb -e " SELECT u.id,u.login,COALESCE(sk.nb_sharekeys,0) AS nb_sharekeys FROM teampass_users u LEFT JOIN (SELECT user_id,COUNT(*) nb_sharekeys FROM teampass_sharekeys_items GROUP BY user_id) sk ON sk.user_id=u.id WHERE u.id=9999997;"
Once this is applied, new users have all the needed keys, and users who lost keys simply need to regenerate their OTP to get their keys back.
Is this the right process to apply on my production server? I did the export and import on two different backups: Oct 1st for the export and a fresh one for the import. Could there be a gap—some missing keys?
@guerricv Good news 👍 Yes this could be one way to do this. The only drawback could be that some new keys created since 1sr October have no share keys. I can work on a tool that could create the lissing master sharekeys from a user that have them.
@guerricv Good news 👍 Yes this could be one way to do this. The only drawback could be that some new keys created since 1sr October have no share keys. I can work on a tool that could create the lissing master sharekeys from a user that have them.
Cool - I will manage without the tool by finding the most recent backup share keys of user_id 9999997 and will communicate to my users about the newly added entries they could have did - That's handleable on my side. But the tool can be useful, a donor process in case of emergency.
@nilsteampassnet have you added the tool into 3.1.4.38? If I upgrade will it fix the issue, and the user will be able to see the passwords again?
No the tool is not included. I need to find an elegant way to handle it and didn't yet found how.
OK, no problem. In the meantime, the keys appear to be there for the user's original account that was deleted. Could I copy them back over? If so, what would be the MySQL query to do this?
Edited to add:
Or if I delete the user again, and recreate them, will it now generate the keys as required and let them view passwords? And do we know the root cause as to why this suddenly stopped working for the user, can it happen again to other users?
Deleting the user and creating them again after upgrading to 3.1.4.38 didn't help, they still can't see any passwords. @nilsteampassnet is there something quick I can do this end to get the user working again please?
Please follow https://github.com/nilsteampassnet/TeamPass/issues/4883#issuecomment-3426880250 from @guerricv
I deleted the user and recreated them - can I just 'undelete' them? Will that just work?
@DaveWebb2 I'm not sure to understand 😅 How to undelete if recreated? And what is your idea in order to undelete?
I can't restore the keys from a backup as they won't exist, the user that suddenly lost all access was deleted and created again.
In the teampass_users table I can see user1_deleted_1760524478 (with keys in the teampass_sharekeys_items table) and user1 (without keys in the teampass_sharekeys_items table).
Can I, therefore, somehow restore the original user1_deleted_1760524478 user with their keys? If not I need a solution to enable the new user to see passwords as right now they can't see any.
Please follow #4883 (comment) from @guerricv
Backup restored, the user cannot see the passwords yet... then, generate new OTP, so Teampass removes all "teampass_sharekeys_items" of the user...
@ccolussi & @DaveWebb2 - I think you need to identify from backup or from production a user who has no issue accessing the items. Copy user Sharedkeys to the masterkey / id 9999997 and then regenerate OTP for impacted users. They should get keys back. @nilsteampassnet please tell me if I'm wrong but it should work this way ?
@nilsteampassnet are you able to confirm the above please? This has been broken for 2 weeks now, I need to get the user working.
Yes the proposal seems OK. Copy the entries from sharekeys_items related to user_id = 9999997
Great, thanks. To confirm the process:
- Take a backup of my production database in case I break anything.
- In the teampass_sharedkeys_items table copy the share_key value for my user (because it works for me, I can see all the passwords) and use it to replace the value for the 9999997 user.
- As admin, regenerate the OTP for the one affected user.
What is the risk of changing the key value for 9999997? Could it break anything?
Also, why do I need to do this? What has actually gone wrong to stop the one user being able to see any passwords when nothing changed? Why doesn't regenerating the OTP work without me doing this?