Recovering a user's password via SSH

If the standard password recovery flow on the BeAdmin login page is unavailable, you can reset any user's password from the server console. The recover-password command generates a temporary password for the specified user — once logged in, this password must be replaced with a permanent one right away.

When to use

Reset the password from the terminal only when all three conditions are met at the same time:

• Password recovery via the login form is unavailable: either the panel does not show a reset button (no SMTP relay configured), or the reset emails are not being delivered.
• There are no other administrators in the panel who could reset the password through the interface — there is no one to ask for help.
• You have SSH access to the server where BeAdmin is installed — as root or as a user with sudo privileges.

If at least one of these conditions is not met — use the standard recovery options. The terminal-based reset is a last resort.

Step 1. Connect to the server via SSH

Connect to the server as root or as a user with sudo privileges:

ssh root@your_server_ip_address

If you are logging in as a regular user with sudo privileges, switch to root:

sudo -i

If you run into trouble with the SSH connection, see the dedicated article How to connect to a server via SSH?.

Step 2. Run the recovery command

Run the following in the server's terminal:

beadmin -config /etc/beadmin/beadmin.conf recover-password -user admin@local.host

Command parameters:

• -config /etc/beadmin/beadmin.conf — path to the panel's configuration file. The default is /etc/beadmin/beadmin.conf; change it only if you specified a custom path during the BeAdmin installation.
• -user admin@local.host — the email address of the user whose access you need to restore. Use the same address that this user signs in with.

⚠️ The -user flag is required

If you run beadmin … recover-password without -user, the command will not show a prompt and will not reset the password — instead, the panel will simply restart in normal mode without changing the password. Always pass -user explicitly.

💡 Tip

If you don't remember the user's email address, check which addresses were used during the installation or when adding users to the panel. The default is admin@local.host, but the address may have been overridden during the interactive or non-interactive installation.

Step 3. Save the temporary password

If everything went well, the terminal will print a temporary password:

A new one-time password has been created successfully.
Use the temporary credentials below to access the BeAdmin web interface:

  User: admin@local.host
  Password: WhdqCiWLIKps

This one-time password is valid for about 10 minutes.

After signing in, navigate to Settings and update your password to a permanent one.
Your original password will remain valid until you authenticate using the provided one-time password.

Copy the value from the Password line — you will need it in the next step.

⚠️ How the temporary password works

• The temporary password is valid for about 10 minutes from the moment it is created.
• Until you sign in with the temporary password for the first time, the old password keeps working — the temporary one is added on top of it rather than replacing it.
• On the first successful sign-in with the temporary password, it becomes the primary one and the old password is wiped. After that, open the profile section and set a new permanent password manually — the panel will not prompt you to do so.
• If you don't manage to sign in within 10 minutes, simply run recover-password again to get a new temporary password.

Step 4. Sign in to the panel and change the password

1. Open the BeAdmin panel in your browser (https://your_domain:8080 or https://server_ip:8080).
2. Enter the user's email address and the temporary password from the command output.
3. Right after signing in, open the profile section and set a new permanent password.

⚠️ Important

The temporary password is only meant for a one-off sign-in. Don't keep using it as your working password — be sure to change it as soon as you sign in to the panel.

Security

• Don't leave the temporary password in your command history. After using it, delete the matching line from your shell history file (~/.bash_history or ~/.zsh_history) or clear the terminal output.
• Don't share the temporary password over insecure channels. If you need to pass the password to another user, use a secure channel and ask them to change the password right after signing in.
• Access to the command equals full access to the panel. Anyone with root or sudo access on the server can reset the password of any BeAdmin user — regardless of their role. Restrict SSH access to the server.
• The panel does not log this command. The fact that recover-password was executed is not recorded anywhere inside BeAdmin — traces remain only at the server level (shell history, sshd logs). The only real control over password resets is the list of people with SSH access to the server.

Possible errors

Failed to recover password for user <email>: unknown user

There is no user with that address in the panel, or the command contains a typo. Double-check the address against the one the user is registered with in BeAdmin — it must match exactly, character for character.

No such file or directory for the configuration file

The path passed in -config does not exist. Check whether the standard config file is in place:

ls -l /etc/beadmin/beadmin.conf

If the file is in a different location, pass the correct path through the -config parameter.

Permission denied

The command needs read access to the configuration file and access to the panel's database. Run it as root or via sudo.

What's next

• To make password recovery available through the login form without SSH in the future, configure an SMTP relay. After that, password reset links will be delivered to your email.
• If you have lost both SSH access to the server and the administrator password at the same time, contact technical support or your hosting provider for help with regaining access to the server.