Re: How to recover Gaia Admin password on VMware

RickHoppe · ‎2018-06-14

Today we ran into a situation we needed to recover the Gaia Admin password of a Logserver which was hosted on VMware. Therefore we could not use the procedure to create a EmergenDisk USB flash drive from sk92663. Problem is that we cannot boot from USB when using a VMware guest. We’ve also ignored sk106490 as this was not a Security Gateway.

We’ve used Google to find some answers on this particular subject. We found a few possible answers (here and here) with instructions that did not completely work on a lab machine (running on R80.10). Furthermore we liked the idea by fixing this nicely in the Gaia configuration database instead of manually editing OS files like /etc/passwd or /etc/shadow files.

So we used the best of aforementioned sites and successfully reset the admin password with this procedure on R80.10:

Configure the Check Point VM to use a recent Ubuntu Desktop ISO and boot from CD-ROM. Select Try Ubuntu so you will have a Live environment without installing Ubuntu.
Open the Terminal application.
Enter the following command: sudo su –
Create a mounting point: mkdir /mnt/cp
Mount the Gaia filesystem: mount /dev/mapper/vg_splat-lv_current /mnt/cp
Change the root directory to the Gaia root: chroot /mnt/cp
Backup the current Gaia configuration database: cp /config/db/initial_db /config/db/initial_db_backup
Connect to the Gaia configuration database: sqlite3 /config/db/initial_db
Query the database using SQLite to locate the current admin password. The last line is the current password hash:
SELECT * from revisions WHERE binding=”passwd:admin:passwd”;
Update the database using SQLite to change the password to ‘admin’. Replace the text old-pw-hash below with the last hash from step 9:
UPDATE revisions SET value=”$1$zIVyrIdj$1LBW7Pg6XOcXYIgFPTppY.” WHERE binding=”passwd:admin:passwd” AND VALUE=’old-pw-hash‘;
Exit SQLite by entering the following command: .exit
Exit chroot and go back to Ubuntu: exit
Unmount the Gaia filesystem: umount /mnt/cp
Reboot the Check Point VM by entering: reboot
Login to the console, SSH or Gaia Portal using user admin and password admin.
When in CLISH or Gaia Portal don’t forget to change the password for user admin (and document it!)

Thanks to the original authors from which this instruction is combined from.

Also posted to my blog: How to recover Gaia Admin password on VMware – checkpointengineer

My blog: https://checkpoint.engineer

Maarten_Sjouw · ‎2018-06-14

if the system has a valid SIC, there is another easy way to do this from the management server. see SK106490 this method does not only work for the password but in principle you can run any command on the gateway from an expert level.

Regards, Maarten

RickHoppe · ‎2018-06-14

sk106490 is stating that this is for resetting the password on a Security Gateway from a Management server. In this case it was a Logserver instead of a Security Gateway. Not sure if it works as the article does not apply for this case.

My blog: https://checkpoint.engineer

Kaspars_Zibarts · ‎2018-06-14

Hi Rick. It does as long as SIC is established it will work

RickHoppe · ‎2018-06-14

That SK will save some time when we have a SIC. SK should also be updated that it also applies to connected management servers. This Howto can now be used when you have no SIC .

My blog: https://checkpoint.engineer

Maarten_Sjouw · ‎2018-06-15

Oh, this SK should be updated anyway, indeed as long as SIC is available you should be able to send commands this way, this even works fine for sending commands to the pesky embedded boxes.

But certainly when you do not have SIC this will be easier sometimes than re-imaging the VW.

Regards, Maarten

f5de199a-8ab8-4 · ‎2018-10-31

This method works. I performed it on two checkpoint VMs running r80.M20 using Ubuntu extended support release (18.04.1 L)

RickHoppe · ‎2018-10-31

Great to hear the article helped you.

My blog: https://checkpoint.engineer

Daniel_Lopez · ‎2019-02-19

Hi Rick just a quick question I tried it , but it didnt worked I think my issue is on step 10 the first hash here:

UPDATE revisions SET value=”$1$zIVyrIdj$1LBW7Pg6XOcXYIgFPTppY.” WHERE binding=”passwd:admin:passwd” AND VALUE=’old-pw-hash‘;

Should be exactly the same? also the old-pw-hash is the last one right cause I got 3 of them while doing the querry.

Thanks!!

RickHoppe · ‎2019-02-20

Hi Daniel,

Yes, the first hash value in the UPDATE statement should be exactly the same. You only need to replace old-pw-hash with the last one you see in step 9. According to my information you should see all previous password hashes too and the last one is the current one which would normally also be visible in /etc/shadow.

Since you performed step 10....when you now perform step 9 again, do you see the same hash ($1$zIVyrIdj$1LBW7Pg6XOcXYIgFPTppY.) from step 10 listed as last in the output of the query?

My blog: https://checkpoint.engineer

Daniel_Lopez · ‎2019-02-20

Hi Rick,

Thanks for your help it does change an im able to see the hash thats stated there on the update statement, but when I type in admin , admin it does not work. On old-pw-hash I used the last of the 3 displayed hashs.

I know it does the change cause im able to see it, but unfortunately the login still does not work. That /etc/shadow displays the current password?

thanks for your help.

regards,

Daniel

Sarm_Chanatip · ‎2019-03-24

Hi Rick

What Ubuntu Desktop ISO version Did you perform?

Thank you

Sarm

Sarm_Chanatip · ‎2019-03-25

Hi Rick

I'm getting stuck at step 1, in regards to Configure the Check Point VM to use a recent Ubuntu Desktop ISO and boot from CD-ROM. Select Try Ubuntu so you will have a Live environment without installing Ubuntu.

At this point, should I change from Check Point ISO to Ubuntu Desktop ISO, or just create a new CD/DVD drive and add Ubuntu ISO to it?

Christopher__C2 · ‎2019-07-24

I've done this successfully using using CentOS minimal install ISO instead of Ubuntu (cause that's what was readily available).
The repair option on CentOS automatically found and mounted the partition for me, but I had to use chroot due to a SQlite error locating a library file.
And, instead of using some other password hash, I set it blank. There's a risk leaving the admin account with no password, but changing it immediate after it reboots makes that pretty minimal. (and using the VMware console, I couldn't paste!!!)

[Expert@fwmgmt:0]# sqlite3 initial_db
SQLite version 3.7.14
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> SELECT * from revisions WHERE binding="passwd:admin:passwd";
passwd:admin:passwd|0|||||2019-05-14 14:37:14|1
passwd:admin:passwd|1|**PASSWORD**HASH**||||2019-05-14 14:37:14|0
sqlite> UPDATE revisions SET value="" WHERE binding="passwd:admin:passwd" AND VALUE='**PASSWORD**HASH**';
sqlite> SELECT * from revisions WHERE binding="passwd:admin:passwd";
passwd:admin:passwd|0|||||2019-05-14 14:37:14|1
passwd:admin:passwd|1|||||2019-05-14 14:37:14|0

DoubleSleep · ‎2023-03-02

I was also wondering how to enter the ubuntu live environment. Any advice?

Are you a member of CheckMates?

How to recover Gaia Admin password on VMware