We saw how managing users was an easy task using the frontend. But what if you have forgotten the password? What if some remote installation of Zabbix is administered by local staff, and the only Zabbix super admin has left for a month-long trip without a phone and nobody else knows the password? If you have access to the database, you can try to solve such problems. Let's find out what exactly Zabbix stores about users and how. In the MySQL console, execute this:
mysql> select * from users limit 2;
This way, we are listing all data for two users at the most:
select * from users limit 2 G
That's a lot of fields. We'd better find out what each of them means:
Field |
Usage |
userid |
Quite simple, it's a unique numeric ID. |
alias |
This is more commonly known as a username or login name. |
name |
This is the user's name, usually their given name. |
surname |
This surely can't be anything else but the surname. |
passwd |
The password hash is stored here. Zabbix stores MD5 hashes for authentication. |
url |
The after-login URL is stored in this field. |
autologout |
This shows whether auto-logout for this user is enabled. Non-zero values indicate timeout. |
lang |
This is the language for the frontend. |
refresh |
This is the page refresh in seconds. If zero, page refresh is disabled. |
type |
The number is linked to the type of user—user, admin, super admin, or guest. |
theme |
This is the frontend theme to use. |
attempt_failed |
This is how many consecutive failed login attempts there have been. |
attempt_ip |
This is the IP of the last failed login attempt. |
attempt_clock |
This is the time of the last failed login attempt. |
rows_per_page |
This is how many rows per page are displayed in long lists. |
As we can see, many of the fields are options that're accessible from the user profile or properties page, although some of these aren't directly available. We mentioned password resetting before; let's look at a simple method to do that. If passwords are stored as MD5 hashes, we must obtain those first. A common method is the command-line utility, md5sum. Passing some string to it will output the desired result, so we can try executing this:
$ echo "somepassword" | md5sum 531cee37d369e8db7b054040e7a943d3 -
The MD5 hash is printed, along with a minus sign, which denotes standard input. If we had run md5sum on a file, the filename would have been printed there instead.
Now, the problem is that if we try to use this string as a password hash, it'll fail. In this case, the hash is calculated on the passed string, including the newline at the end. For the correct version, we have to pass the -n flag to echo, which suppresses the trailing newline:
$ echo -n "somepassword" | md5sum 9c42a1346e333a770904b2a2b37fa7d3 -
Notice the huge difference in the resulting string. Great, now we only have to reset the password.
The following statement changes the Zabbix administrative user password. Don't perform this on a production system, except in an emergency situation:
mysql> update users set passwd='9c42a1346e333a770904b2a2b37fa7d3' where userid=1; Query OK, 1 row affected (0.01 sec) Rows matched: 1 Changed: 1 Warnings: 0
From here on, you should be able to log in to the Zabbix frontend as Admin/somepassword—try it out. Feel free to change the password back after that.
There's actually an easier method available. MySQL has a built-in function for calculating MD5 hashes, so all of this trickery could be replaced with a simpler approach:
mysql> update users set passwd=MD5('somepassword') where alias='Admin';
We also mentioned making some user a Zabbix super admin. This change is fairly simple—all we have to do is change a single number:
mysql> update users set type=3 where alias='wannabe_admin';
And that's it—the wannabe_admin user will become a Zabbix super admin.