Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Password hashes, sha512 and the expert password

 

When installing a Check Point 80.40 it sets the default password hash algorithm to MD5.

I want to change it to SHA512 and do that via the clish command line with this command: 

firewall> set password-controls password-hash-type SHA512

Then I can set the admin password hash with the new "standard" hash algorithm to the same password as i had before:

firewall> set user admin password
New password: ***************
Verify new password: ***************

TIP: To be allowed to set the same password as you had before you might need to run this first (Just remember to turn that one on again after the change to ensure passwords are not reused if you need that for compliance reasons): 
set password-controls history-checking false

I can alternatively set the password using the hash instead:

firewall> set user admin password-hash $6$rounds=10000$RoVKjytn$rz.nZFj2dkCX9381mfYiWiGbpp5R35XCAPIBo5.UVN/lUEwEsJ/oWRMXwVFPwufEYW4xJDd4ZZ9nkFVcrDQi..

TIP Also remember to run " save config "

My question is:

But how do I set the expert password with a hash ( so I can script / automate my installations ) ? 

firewall> set expert-password-hash $6$rounds=10000$RoVKjytn$rz.nZFj2dkCX9381mfYiWiGbpp5R35XCAPIBo5.UVN/lUEwEsJ/oWRMXwVFPwufEYW4xJDd4ZZ9nkFVcrDQi..
GAIA9999 Invalid Salted Hash

I also did not figure out where the expert encrypted password is stored - do any one here know how to retrieve it ?

Link to SK for changing password hashing algorithm ( for gaia OS 😞

# https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

TIP: The encrypted password for the users are stored in the local file called /etc/shadow

If you cat that file or run "grep admin /etc/shadow | cut -d: -f-2" from the expert command line, then you can see what type of encryption/hashing algorithm the users password starts with a $ sign and a number

Running the command dbget passwd:admin:passwd could also be used to show a users hashed password ( in this example the admin user) 

Look for if it starts with $1, $5 or $6 - it will tell you what encryption or hashing algorithm they were created with.

# ID | Method
# ───────────────────────────────────────────────
# $1 | MD5
# $2 | (2a) Blowfish (not in mainline glibc; added in some Linux distributions)
# $5 | SHA-256 (since glibc 2.7)
# $6 | SHA-512 (since glibc 2.7)
# ───────────────────────────────────────────────

Best regards 

Keld Norman

 

5 Replies
Highlighted

Hi, 

You can find the hashed password for users in /etc/shadow .

0 Kudos
Highlighted
Ivory

It would seem that if you activate SHA256 it breaks.

If you activate SHA512 every command works as expected.

 

Think Checkpoint will need to revisit the feature who generates SHA256 hash.

0 Kudos
Highlighted
Admin
Admin

That might be worth a TAC case since I believe sha256 should work (or it did pre-R80.40).
0 Kudos
Highlighted
Ivory

It still works in R80.20 but after that it looks like trouble.

0 Kudos
Highlighted

You said "I also did not figure out where the expert encrypted password is stored - do any one here know how to retrieve it?"

-> It is stored in the Gaia configuration database (/config/initial (plain-text) and /config/initial_db (SQLite v3)). You can retrieve it from expert shell with

dbget expertpwd:PWD

0 Kudos