Regaining access to my matrix admin account

I have a matrix account on my own server. There are only 3 local accounts on that server but I’m the only admin. So after the data loss, I had to regain access to it on my own. Email are disabled in my synapse instance (user don’t have them) so the “forgot password” was not an option.

A few notes about my server context as it may depends on your installation:

• Debian server using matrix-synapse debian package
• Configuration file is /etc/matrix-synapse/homelab.yaml with override within /etc/matrix-synapse/conf.d/
• Postgres used as the database with a dedicated postgres user

Normally, to connect to your matrix account, you need 3 things:

• username (I disabled email on my instance but that could be used instead depending on your configuration)
• password (lost)
• security key (lost) or validation via another device (I had one!)

Thanks to having connected my matrix account on my phone, I had another device. It would still have been possible to retrieve access without, but in this case I would have lost access to previous encrypted messages. So if you are in this situation and have a device still connected, DO NOT logout before regaining full control :).

Having lost my password, I needed to update it. But I didn’t have a synadm (synapse cli) tool configured (lost that too…), so I couldn’t use the cli or the API directly. I thought it was the end, but as for nginxproxymanager, turns out editing the database was the best/only option…

First, let’s generate the new password. For that we need to use the hash_password tool to generate a new password. But it won’t work by default without using a configuration file:

bacardi55@neo:~$ hash_password
usage: hash_password [-h] [-p PASSWORD] -c CONFIG
hash_password: error: the following arguments are required: -c/--config

Ok, but what do we need in this configuration file? Documentation indicates:

A sample YAML file accepted by synapse_hash_password is described below: bcrypt_rounds: 17 password_config: pepper: “random hashing pepper” – https://manpages.debian.org/testing/matrix-synapse/synapse_hash_password.1.en.html

A bit cryptic, but it means you need a configuration file as follow:

bcrypt_rounds: 17
password_config
pepper: "random hashing pepper"

That’s cool, but how do we know the value for bcrypt_rounds and pepper? Well, they are part of your synapse configuration. If you haven’t change any of those, the default values are bcrypt_rounds: 12 and pepper: "EVEN_MORE_SECRET".

To find those values easily, I just used:

grep -rin "bcrypt" /etc/matrix-synapse/
grep -rin "pepper" /etc/matrix-synapse/

Be careful, if you see the result both in your main configuration file (homelab.yaml in my case) and in a file within the conf.d directory, use the later as it will override the former.

We have the configuration file, now we can generate the new password with:

hash_password -c path/to/config

You will be asked for the password (and verification) and as a result, you will get a long hashed password. I’m not going to show it here, so for the rest of the article, let’s assume my hash is <myHashedPassword>. Update below accordingly.

So we have our hashed password, let’s update the database. Let’s connect to the database first:

su - postgres # connect as the postgres user
psql # start postgres interactive terminal

Once in the postgres terminal, let’s first connect to our synapse database:

\connect synapse

Then, just checking my user is in the user table:

select * from users where name = '@bacardi55:mtx.bacardi55.io'

Nota: single quote are important here! Replace with your @username:server.tld of course. You should get one result. If not, you may have other issues :P.

To update your user, just update the password_hash field within the users table. Still in the postgres terminal:

UPDATE users SET password_hash='<myHashedPassword>' WHERE name='@bacardi55:mtx.bacardi55.io';

Your password should be updated. You can go to your web UI or in any application and connect.

If you have the luxury of still having a device connected, you can simply verify your new connection in the other device. If not, you will need to fully reset the security key and lost all previously encrypted discussion.

As said, I was “lucky enough” to have my phone still connected, so I validated my connection on my phone and thus was connected to my matrix account again!

There was still one thing to do: generate a new security key so that I could login without verifying my connection on my phone each time. To do so, using element web UI at least, I had to go to my profile → security and privacy and click on the red “reset” button. After, you’re being asked if you want to generate a new security key or enter a security phrase. I choose the former and saved it in my password store.

That’s it, I have now access again to my matrix account! To be honest, I’m not even sure I’m going to keep this matrix server, but I still wanted to get my access back to a/ learn how to do so and b/ alert some contact on matrix about the possible deletion so we find a new “home” to chat. For now my account is still there :).