This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
cm
Explorer
yesterday
Jump to solution

Cannot change GAiA admin password via ansible/API

Hi,

I'm trying to automate initial configuration of GAiA gateways and I have an issue when trying to change the password for "admin", like this:

 

  - name: set admin user password hash
    check_point.gaia.cp_gaia_user:
      name: admin
      password_hash: $6$xxxxx
      must_change_password: False

When I try this, I get an error:

Checkpoint device returned error 400 with message {'code': 'err_validation_failed', 'errors': 'Cannot change this attribute of user admin', 'msg': 'Validation Error'}

This also happens when I use "password" instead of "password_hash", and it is limited to the "admin" user. I am accessing the API as a separate user "apiuser" because I thought maybe the password of the accessing user cannot be changed, but that's not the issue.

This is on R81.20 JHF89/API level 1.7

So, how do I change that password via the API and ansible?

 

0 Kudos
1 Solution

Accepted Solutions
Jim_Oqvist
Employee
Employee
yesterday
Jump to solution

Hi,

it seems to be a bug in the ansible collection.

it is possible to change the admin password using the set-user api call directly (https://sc1.checkpoint.com/documents/latest/GaiaAPIs/index.html#cli/set-user~v1.7%20).

It also seems like this is only triggered when trying to change the password of the user "admin" if you crate a new user for example called test it works as expected.

This is reproducible with this playbook https://github.com/checkpointsw-devsec/chkp-api-examples/blob/master/Ansible/Gaia/cp_gaia_user.yml 

I suggest you open a issue here: https://github.com/CheckPointSW/CheckPointAnsibleGAIACollection or if you open a service request with TAC to get it solved.

Kind Regards

Jim

View solution in original post

0 Kudos
11 Replies
the_rock
Legend
Legend
yesterday
Jump to solution

Is this management or gateway?

Andy

0 Kudos
the_rock
Legend
Legend
yesterday
Jump to solution

https://sc1.checkpoint.com/documents/latest/APIs/?#clish/set-user~v2%20

0 Kudos
cm
Explorer
yesterday
In response to the_rock
Jump to solution

That's on the gateway, so using the GAiA API, not the mgmt API...

0 Kudos
the_rock
Legend
Legend
yesterday
In response to cm
Jump to solution

Hm, that link I sent is gaia cli.

Andy

https://sc1.checkpoint.com/documents/latest/APIs/?#clish/set-user~v1.7%20

0 Kudos
cm
Explorer
yesterday
In response to the_rock
Jump to solution

I don't think so. That's just the management API as called from clish, not the GAiA API which is a different beast. The link you posted affects the user objects in the SMC, not the GAiA users...

0 Kudos
the_rock
Legend
Legend
yesterday
In response to cm
Jump to solution

Maybe below?

Andy

https://sc1.checkpoint.com/documents/latest/GaiaAPIs/#web/set-user~v1.8%20

0 Kudos
PhoneBoy
Admin
Admin
yesterday
Jump to solution

Just to confirm, you can change other users passwords using this playbook, but not the admin user?

0 Kudos
Jim_Oqvist
Employee
Employee
20 hours ago
In response to PhoneBoy
Jump to solution

Hi PhoneBoy, 

Yes that is correct, the error message is only presented when you try to change the user "admin" se below result using this playbook: https://github.com/checkpointsw-devsec/chkp-api-examples/blob/master/Ansible/Gaia/cp_gaia_user.yml 

TASK [Set password for the test user] ***************************************************************************************************************************************************************************************************************************************
changed: [192.168.233.51] => {
    "changed": true,
    "invocation": {
        "module_args": {
            "allow_access_using": [
                "CLI",
                "Web-UI"
            ],
            "homedir": null,
            "must_change_password": null,
            "name": "test",
            "password": null,
            "password_hash": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "primary_system_group_id": 100,
            "real_name": "test user",
            "roles": null,
            "secondary_system_groups": null,
            "shell": "cli",
            "state": "present",
            "uid": null,
            "unlock": null
        }
    },
    "user": {
        "allow_access_using": [],
        "homedir": "/home/test",
        "locked": "",
        "must_change_password": "",
        "name": "test",
        "primary_system_group_id": 100,
        "real_name": "test user",
        "requires_two_factor_authentication": false,
        "roles": [],
        "secondary_system_groups": [],
        "shell": "cli",
        "uid": 0
    }
}

TASK [print test user settings] *********************************************************************************************************************************************************************************************************************************************
ok: [192.168.233.51] => {
    "msg": {
        "changed": true,
        "failed": false,
        "user": {
            "allow_access_using": [],
            "homedir": "/home/test",
            "locked": "",
            "must_change_password": "",
            "name": "test",
            "primary_system_group_id": 100,
            "real_name": "test user",
            "requires_two_factor_authentication": false,
            "roles": [],
            "secondary_system_groups": [],
            "shell": "cli",
            "uid": 0
        },
        "warnings": [
            "Module did not set no_log for must_change_password"
        ]
    }
}

TASK [Set password for the admin user] **************************************************************************************************************************************************************************************************************************************
fatal: [192.168.233.51]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "allow_access_using": [
                "CLI",
                "Web-UI"
            ],
            "homedir": null,
            "must_change_password": null,
            "name": "admin",
            "password": null,
            "password_hash": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "primary_system_group_id": 100,
            "real_name": null,
            "roles": null,
            "secondary_system_groups": null,
            "shell": "cli",
            "state": "present",
            "uid": null,
            "unlock": null
        }
    },
    "msg": "Checkpoint device returned error 400 with message {'code': 'err_validation_failed', 'errors': 'Cannot change this attribute of user admin', 'msg': 'Validation Error'}"
}
PLAY RECAP ******************************************************************************************************************************************************************************************************************************************************************
192.168.233.51             : ok=5    changed=1    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

 

0 Kudos
Jim_Oqvist
Employee
Employee
yesterday
Jump to solution

Hi,

it seems to be a bug in the ansible collection.

it is possible to change the admin password using the set-user api call directly (https://sc1.checkpoint.com/documents/latest/GaiaAPIs/index.html#cli/set-user~v1.7%20).

It also seems like this is only triggered when trying to change the password of the user "admin" if you crate a new user for example called test it works as expected.

This is reproducible with this playbook https://github.com/checkpointsw-devsec/chkp-api-examples/blob/master/Ansible/Gaia/cp_gaia_user.yml 

I suggest you open a issue here: https://github.com/CheckPointSW/CheckPointAnsibleGAIACollection or if you open a service request with TAC to get it solved.

Kind Regards

Jim

0 Kudos
cm
Explorer
19 hours ago
In response to Jim_Oqvist
Jump to solution

Thanks for confirming that the problem is not on my side. I'll proceed with a TAC case...

0 Kudos
Jim_Oqvist
Employee
Employee
19 hours ago
In response to Jim_Oqvist
Jump to solution

Hi,

I have informed the relevant R&D owner and have also reported this as an issue on Github here: 

There is a bug in the ansible module: cp_gaia_user - Failing to change password-hash of user with na... 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events