User accounts and Mail setup?

If you’re looking for some help, it’s important to provide as much context as possible so that people are able to assist you. Try to always mention:

  • What’s your URL? Internal Only no public access
  • What version of Ghost are you using? 2.35.0
  • What configuration? Default??? With Mysql
  • What browser? Chrome
  • What errors or information do you see in the console? N/A
  • What steps could someone else take to reproduce the issue you’re having? Install and try basic usage

Hi Everyone,

I’m new here and just setup my first ghost install for testing. It’s an internal only site while I work on getting used to it. I’ve run into a few issues and could use some help if you have the time.

Issue #1 How can I manually unlock the owners account when it becomes locked? I tried poking around in the mysql database and it looks like the account is “active” Is there a way to change the Brute force protection settings? Lockout duration and attempts?

Issue #2 How can I add users (authors, and editors) Manually I don’t want to go through the hassle of e-mailing and verifying and all that stuff. I know all my staff and I’d prefer to just enter their info manually and then tell them what their password is verbally, then can then login and change it as needed.

Issue #3 What’s the deal with e-mail setup? I have access to an SMTP server can I use that instead of Mailgun? Can someone link me to the correct way to setup an SMTP connection. I tried editing the config.production.json according to but I have no idea what to put in for the “service” I’m also having a hard time with the json stuff itself I keep getting the message “Message: Config file is not valid JSON” when I copy and paste the example into the file. Can these settings be put into the admin GUI for so JSON illiterate people can use the mail features please?

Thanks for looking, and thanks for making ghost!

1 Like

Well The best solution I came up with for Issue #1 was to ghost cli uninstall and reinstall. This will be a big issue when the site has data on it as this workaround removes everything.

My concern is that users see who authored/published the article then try to login as that person and lock the admin out of the site. The password has to be changed/reset via e-mail which is not viable in my situation.

Issue #2 there was a neat workaround posted here. It looks promising but again I keep messing up the JSON formatting and it doesn’t quite work -UPDATE- I was not changing the date. The date must be close to the current time or you get an error. This user creation process works perfectly! Thanks @badrihippo

Issue #3 No progress yet.

I’ll update this if I get any better answers.


1 Like

For Issue #1 regarding changing the brute force protection settings

I found the following info.

Also this is a link to the Documentation but it’s very sparse

Looks like the file to edit is located in here: ghost/current/core/server/config/ It’s called defaults.json Look for the section that starts with “spam”: { Any changes you make require a “ghost restart” from ghostcli to take effect.

As for actually unlocking a user when they trigger the spam prevention rules I think I found the answer. Here are all the details I found along the way.

Looks like Ghost is using a middleware bruteforce protection called express-brute the data is stored in the Mysql database with brute-knex in the “brute” table There are 5 columns in the Brute table key,firstRequest,lastrequest,lifetime,count Count is incremented by one every time you fail a login but setting it to 0 doesn’t reset the “too many login attempts” message.

What worked for me was deleting the row in the DB where the count was increased. This unlocked the user. I’m a noob at this and This is most likely very unsafe try it at your own risk.