This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Bhavik_Joshi
Explorer
‎2019-06-26 09:59 PM

Forgot admin password in CLI

Support,

We reset the admin password, but somehow we forgot the password. Now we need to change the admin CLI passwork for Management Server. 

Please Help.

Chetan D. Lad

18 Replies
PhoneBoy
Admin
Admin
‎2019-06-27 03:56 PM

In R77.x and earlier, you can do this with EmergenDisk: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

The SK has conflicting information about R80, but if you can still log into SmartConsole, it's possible to reset the admin password for the OS without EmergenDisk.
Here's the process:

  1. Generate the password hash you need using the following command on a Linux system: openssl passwd -1 mypassword (Note: if on a Check Point appliance, use cpopenssl instead)
  2. In SmartConsole, right-click on the management object and select Scripts > One-Time Script
  3. Type the following into the script field and click Run: clish -c 'set user admin password-hash mypasswordhash' (Note be sure to use single quotes here and replace mypasswordhash with the hash from step 1).

Screen Shot 2019-06-27 at 3.47.49 PM.png

 

Mike_A
Advisor
‎2019-07-01 07:39 AM
In response to PhoneBoy

I have found success in the past using cprid_util (sk106490) to change the password when below R80.x. As Dameon mentions, the Script Repository is great for this now.

 

Below are the steps I had used in the past. 

 

1.) /sbin/grub-md5-crypt

a.) Enter Password 2x Times

b.) Copy Hash displayed on screen

 

2.) $CPDIR/bin/cprid_util -server 10.0.0.x -verbose rexec -rcmd /bin/clish -s -c 'show users'

 

3.) $CPDIR/bin/cprid_util -server 10.0.0.x -verbose rexec -rcmd /bin/clish -s -c 'set user <USERNAME> password-hash <HASHED PASSWORD FROM STEP #1>'

 

4.) $CPDIR/bin/cprid_util -server 10.0.0.x -verbose rexec -rcmd /bin/clish -s -c 'save config'

0 Kudos
PhoneBoy
Admin
Admin
‎2019-07-01 07:47 AM
In response to Mike_A

Note than in both cases, cprid is the underlying mechanism being used.
And yeah, I did forget the "save config" as part of this 😁
0 Kudos
HeikoAnkenbrand
Champion
Champion
‎2019-07-01 11:58 AM
In response to Mike_A

@Mike_A 

With the cprid_util it is only possible to reset the gateway GAIA password from the management server. I am use this script to execute remote commands.

More see here:

GAIA Easy execute CLI commands from management on gateways

How to remotely reset Admin / Expert password on a Security Gateway from a Security Management Serve...


To reset the management server password see this sk:

R77.30: Reset the Gaia Admin and Expert passwords using EmergenDisk USB flash drive

R80.10+ with a user with adminRule: How to reset the Expert mode password in Gaia OS

R80.10+ with SmartConsole  connection (steps from @PhoneBoy😞

1) Generate the password hash on a Check Point Appliance  in expert mode:
# cpopenssl passwd -1 mypassword
2) On SmartConsole under management object -> select scripts -> One-Time Script
3) Run the Script:
clish -c 'set user admin password-hash mypasswordhash


If anything doesn't help, open a TAC ticket.

 

 

 

HeikoAnkenbrand
Champion
Champion
‎2019-07-01 12:44 PM
In response to HeikoAnkenbrand

Or a solution without Check Point support for VMWare and Hardware without RAID controller:

Attention, you can also destroy your system with this steps.

Should also work on an appliance or OpenServer without a RAID controller. I tried it with an appliance in the LAB.

So I used the best of aforementioned sites and successfully reset the admin password with this procedure on R80.10:

a) Configure the Check Point VM to use a recent Ubuntu/Debian Desktop ISO and boot from CD-ROM. Select Try Ubuntu so you will have a Live environment without installing Ubuntu.
b) Open the Terminal application.
c) Enter the following command: sudo su –
d) Create a mounting point: mkdir /mnt/cp
e) Mount the Gaia filesystem: mount /dev/mapper/vg_splat-lv_current /mnt/cp
f) Change the root directory to the Gaia root: chroot /mnt/cp
g) Backup the current Gaia configuration database: cp /config/db/initial_db /config/db/initial_db_backup
h) Connect to the Gaia configuration database: sqlite3 /config/db/initial_db
i) Query the database using SQLite to locate the current admin password. The last line is the current password hash:SELECT * from revisions WHERE binding=”passwd:admin:passwd”;
j) Update the database using SQLite to change the password to ‘admin’. Replace the text old-pw-hash below with the last hash from step i):UPDATE revisions SET value=”$1$zIVyrIdj$1LBW7Pg6XOcXYIgFPTppY.” WHERE binding=”passwd:admin:passwd” AND VALUE=’old-pw-hash‘;
k) Exit SQLite by entering the following command: .exit
l) Exit chroot and go back to Ubuntu/Debian: exit
m) Unmount the Gaia filesystem: umount /mnt/cp
n) Reboot the Check Point VM by entering: reboot
o) Login to the console, SSH or Gaia Portal using user admin and password admin.
p) When in CLISH or Gaia Portal don’t forget to change the password for user admin (and document it!)

 

 

 

HeikoAnkenbrand
Champion
Champion
‎2019-07-01 01:21 PM
In response to HeikoAnkenbrand

Plan B with a migrate export:-)

1) Install a new managment server with the same IP.

2) Open a CLISH per ssh (do not close this session)

3) Open a second connection in expert mode and start a migrate import.

4) After the migrate import change to the CLISH session and change the admin password.

5) Now save the settings "save configuration"

 

That's all I can think of:-)

Navid_Qazi
Explorer
‎2019-07-01 11:23 PM
In response to HeikoAnkenbrand

This way works fine😀.

0 Kudos
Eduardo_Santos
Participant
‎2021-05-03 04:12 PM
In response to HeikoAnkenbrand

@HeikoAnkenbrand wrote:

Or a solution without Check Point support for VMWare and Hardware without RAID controller:

Attention, you can also destroy your system with this steps.

Should also work on an appliance or OpenServer without a RAID controller. I tried it with an appliance in the LAB.

So I used the best of aforementioned sites and successfully reset the admin password with this procedure on R80.10:

a) Configure the Check Point VM to use a recent Ubuntu/Debian Desktop ISO and boot from CD-ROM. Select Try Ubuntu so you will have a Live environment without installing Ubuntu.
b) Open the Terminal application.
c) Enter the following command: sudo su –
d) Create a mounting point: mkdir /mnt/cp
e) Mount the Gaia filesystem: mount /dev/mapper/vg_splat-lv_current /mnt/cp
f) Change the root directory to the Gaia root: chroot /mnt/cp
g) Backup the current Gaia configuration database: cp /config/db/initial_db /config/db/initial_db_backup
h) Connect to the Gaia configuration database: sqlite3 /config/db/initial_db
i) Query the database using SQLite to locate the current admin password. The last line is the current password hash:SELECT * from revisions WHERE binding=”passwd:admin:passwd”;
j) Update the database using SQLite to change the password to ‘admin’. Replace the text old-pw-hash below with the last hash from step i):UPDATE revisions SET value=”$1$zIVyrIdj$1LBW7Pg6XOcXYIgFPTppY.” WHERE binding=”passwd:admin:passwd” AND VALUE=’old-pw-hash‘;
k) Exit SQLite by entering the following command: .exit
l) Exit chroot and go back to Ubuntu/Debian: exit
m) Unmount the Gaia filesystem: umount /mnt/cp
n) Reboot the Check Point VM by entering: reboot
o) Login to the console, SSH or Gaia Portal using user admin and password admin.
p) When in CLISH or Gaia Portal don’t forget to change the password for user admin (and document it!)

Hi,

I know it's an old topic but it still didn't help me.

I managed to do all the above procedure, but despite it running without errors in R77.30, it did not change the password of the admin user. I believe it is because the procedure is for R80.10.

Someone knows a procedure like that to change the admin password in R77.30 running on VMWare?
(I can't use USB disk, but I'm able to boot ISO images.)

Thanks.

0 Kudos
Mike_A
Advisor
‎2019-07-02 04:34 AM
In response to HeikoAnkenbrand

@HeikoAnkenbrand 

Great point, I didn't fully read that the issue was resetting the admin password on the management server itself. 

0 Kudos
Ryan_Puckett
Employee
Employee
‎2020-04-29 01:44 PM
In response to PhoneBoy

I've took this one-time script and added it into the script repository. Since arguments can be passed to scripts in the repository, I can pass the username and new password and viola.

Script Body:

export OPENSSL_CONF=$CPDIR/conf/openssl.cnf
clish -s -c "lock database override"
clish -s -c "set user $1 password-hash $($CPDIR/bin/cpopenssl passwd -1 $2)"

ResetUserArguments.PNG

Mike_A
Advisor
‎2020-05-09 08:21 AM
In response to Ryan_Puckett

I just saw this, @Ryan_Puckett assuming this will solve the issue I'm having here?

 

https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Scripts-Repository-Password-Reset...

 

0 Kudos
Ryan_Puckett
Employee
Employee
‎2020-05-13 11:20 AM
In response to Ryan_Puckett

Correct.

Same method as using cprid_util but from script repository vs expert CLI.

0 Kudos
Mike_A
Advisor
‎2020-05-14 04:13 AM
In response to Ryan_Puckett

As @PhoneBoy said in the other thread I had. If you wrap the password line in single quotes, not double, this works as well. Possibly an easier fix than exporting OPENSSL into the script.

 

Regardless it works for me in both scenarios. 

0 Kudos
Danny
Champion
Champion
‎2019-07-01 11:20 AM

How to remotely reset Admin / Expert password on a Security Gateway from a Security Management Serve... (sk106490)

Daniel_Kavan
Advisor
‎2020-06-22 09:21 AM
In response to Danny

RE: 80.30 gateway

I'm logged in as admin 

Is there anyway to decrypt or convert an expert password hash to a string?

If I'm logged in as admin, can I reset both the admin and expert passwords with out knowing either?  

0 Kudos
HristoGrigorov
Mentor
Mentor
‎2020-06-22 11:17 AM
In response to Daniel_Kavan

sk106490 

 

PhoneBoy
Admin
Admin
‎2020-06-24 12:21 PM
In response to Daniel_Kavan

Hashes are the result of one-way functions.
The concept is that, given the output and the function, you cannot easily determine the input to the function.
Cryptographic hashes used for passwords are meant to be particularly difficult 😬
But you can reset them as noted.
Mike_A
Advisor
‎2020-08-12 07:34 PM
In response to PhoneBoy

Not to revive this thread, but I think it may be relevant here. 

 

For compliance, we are required to change our admin password every 90 days (we are using RADIUS for our personal accounts). By way of this thread we have a valid script that can reset the admin and expert passwords with no issues via scripts repository. The problem comes into play when the admin password has met, or exceeded its 90 day setting. Utilizing the script resets the password successfully (if you log in with it the next time as admin it accepts the password but prompts for the password to be reset again via the interactive login).  Is there a way around being prompted for a password change again? The script is running but there is some field/trigger that is not acknowledging that as a formal password change to reset a "counter" for the password-controls setting within clish. 

 

The command in the script is "clish -c 'set user admin password-hash <hash>'" 

 

Example

Current Password: Test123!

Script Rests to: Test456!

When logging in the next time with admin/Test456! it prompts to change password again. 

 

Thanks!

0 Kudos