Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Laurent_Maland1
Explorer

RemoteAccess Users view password or export accounts

Hi everbody

I have some RemoteAccess users (30) authentified by "Check Point Password" on a Firewall. I need to create some same users (6) on another Firewall (not the same management). Is it possible to view in clear the 6 passwords or to export/import the 6 accounts (name/password).

Thank you for your help.

Laurent

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

You should be able to do it with dbedit with something like "show users username".

A hash of the password will be exported (not the clear text)--not sure if that can be imported into another system (haven't tried it yet).

0 Kudos
JozkoMrkvicka
Authority
Authority

Well, This is how it looks on R77.30 (no hash, no plain-text password):

dbedit> print users admin

Object Name: admin
Object UID: {9813617A-70C8-4DF6-ADA6-A4BD87FCE69B}
Class Name: user
Table Name: users
Last Modified by: admin
Last Modified from: 
Last Modification time: Sun Sep 9 08:18:44 2018
Fields Details
--------------
accessible_from_smc: true
admin_expiration_base_data: admin (
expiration_date: 31-dec-2030
expiration_date_method: expire at
expiration_date_visual_notif: true
)
administrator: false
administrator_profile: NULL
auth_method: Internal Password
color: black
comments:
connection_state: uninitialized
creation_date: 8/27/2018
days: 127
destinations: Name: Any (Table: globals)
email:
expiration_according_to_global_def: true
expiration_visual_indication_mgmt: true
fromhour: 00:00
generic_profile: false
generic_profile_settings: (
<NULL>
)
groups: Name: TESTING (Table: users)
internal_password: Sensitive Info Removed
name: admin
notdelete: false
phone_number:
radius_server: Name: Any (Table: globals)
sic_identifier: (
id_type: ip_addr
id_value:
)
sic_name:
sources: Name: Any (Table: globals)
tacacs_server: Name: Any (Table: globals)
tohour: 23:59
type: user
use_fw_radius_if_exist: true
userc: (
FWZ: (
<NULL>
)
IKE: (
isakmp.authmethods: signatures
isakmp.data.integrity: SHA1
isakmp.encmethods: DES 3DES
isakmp.encryption: 3DES
isakmp.hashmethods: MD5 SHA1
isakmp.shared.secret:
isakmp.transform: ESP
)
accept_track: Name: Auth (Table: tracks)
use_global_encryption_values: true
)

And from GuiDBedit:

So the password (in hash), must be stored in some database.

Kind regards,
Jozko Mrkvicka
0 Kudos
JozkoMrkvicka
Authority
Authority

R77.30:

The hashes for Remote Access users should be stored in following file:

/var/opt/CPsuite-R77/fw1/conf/fwauth.NDB

The hashes (internal_password) are 13 characters long.

But maybe the better way how to accomplish your plan (to export users) is to use migrate export utility from management.

Kind regards,
Jozko Mrkvicka
0 Kudos
Laurent_Maland1
Explorer

Hi

Thank you for the information about dbedit. If I use the migrate export utility how can I import the 6 users account only in the other Firewall ?

Regards

Laurent

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events