Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
dehaasm
Collaborator
Jump to solution

Cloudguard VMSS CME template users

In Azure we have a Cloudguard deployment and want to add users in the CME template script (with clish commands) by using the passowrd hash (we dont want to store the user password) however this only works for one firewall not the other, because the hash would be different.

So the question here is how can we add additional Gaia users on the gateway by using the CME template? How is this done for the admin user?

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

You can reuse the same password hash on multiple systems.
The reason the hash is "different" is because more than just the password is hashed.
Even on the same system, you'll get a different hash each time you generate a password hash for the same password.
To convince yourself, execute the command openssl passwd -5 on a Linux box multiple times using the same password.
On a Check Point gateway, as I've done here, use cpopenssl, which I did with the password test123.

[Expert@R8120EA:0]# cpopenssl passwd -5
Password:
Verifying - Password:
$5$NOCYPoIs35vzngoY$UYKXWMq0EoXk5SEU3FJJAXsIzfvzFD.ZJjihQdd6Xq9
[Expert@R8120EA:0]# cpopenssl passwd -5
Password:
Verifying - Password:
$5$yW/om1hsiAR0EwHF$5RISQSuV63Gm9TDur3J8n/NOuadCFEEA4SYvaHrSegD
[Expert@R8120EA:0]#


Notice in both cases, the hashes are different.
You'll get a different hash each time you do it as well.
However, all of the hashes will work.

View solution in original post

3 Replies
PhoneBoy
Admin
Admin

You can reuse the same password hash on multiple systems.
The reason the hash is "different" is because more than just the password is hashed.
Even on the same system, you'll get a different hash each time you generate a password hash for the same password.
To convince yourself, execute the command openssl passwd -5 on a Linux box multiple times using the same password.
On a Check Point gateway, as I've done here, use cpopenssl, which I did with the password test123.

[Expert@R8120EA:0]# cpopenssl passwd -5
Password:
Verifying - Password:
$5$NOCYPoIs35vzngoY$UYKXWMq0EoXk5SEU3FJJAXsIzfvzFD.ZJjihQdd6Xq9
[Expert@R8120EA:0]# cpopenssl passwd -5
Password:
Verifying - Password:
$5$yW/om1hsiAR0EwHF$5RISQSuV63Gm9TDur3J8n/NOuadCFEEA4SYvaHrSegD
[Expert@R8120EA:0]#


Notice in both cases, the hashes are different.
You'll get a different hash each time you do it as well.
However, all of the hashes will work.

dehaasm
Collaborator

Hi, ok but can you also configure user password by using clish using the same hash that I dont think so. Within CME template we use a bootup script which is executed by API on the gateways. We dont like to store user passwords in the script but prefer to use hash. We have the same problem with expert password and additional users which all use hashes. Yesterday we performed again scale-in and scale-out but again issues with user passwords and needed to manually adjust in Gaia.

 

We use command clish -c "set user gaiauser password-hash to configure the users in the script. According the this article there is a random salt for encoding decoding hashes on each system, hence I believe this could not work accross systems that would also be a vulnerability or am I wrong?

 

we could solve this by configuring users by inputting the password of the user in the script but we prefer not to do that. The only thing I dont understand is how the admin user and password is created because that one always works and is not in the script.

 

https://security.stackexchange.com/questions/77349/how-can-i-find-out-the-password-hashing-schemes-u...

 

0 Kudos
PhoneBoy
Admin
Admin

Unless you are doing a "save config" at the end, any changes you make via clish will not be persistent.
Perhaps you can issue a "save config" as a separate clish -c call and it will work, but I'm not sure.

The random salt doesn't impact the ability to reuse the hash on different systems.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.