This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Steve_Pearson
Collaborator
‎2025-01-09 12:40 PM

SIC one time passwords

I encountered a problem today connecting a spark to a central management server in that the SIC one time password that i'd set on the management server contained a question mark, and that caused a problem when trying to use it in CLI commands.

(maybe using a password generator wasn't such a good idea, and keeping it simple would be better)

However, this got me thinking, is there a definition for the requirement of the SIC one time password, as far as, how many characters, what mix is required and importantly what characters are not allowed?

I don't recall seeing one, and searching this evening hasn't turned up anything, so I was wondering if anyone else is aware of a definition?

0 Kudos
9 Replies
Lesley
MVP Gold
MVP Gold
‎2025-01-09 01:17 PM

As far as I know there is no minimal requirement. SIC is a one thing only, when SIC is set certificates are used for communication. 

Why the question mark did not work I am not sure could be a bug (would recommend to check the version you have installed).

Could also be user error (no offense) so if someone could reproduce it is worth checking and report as bug. 

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2025-01-09 01:40 PM
In response to Lesley

It's probably not a bug. BASH treats the question mark character as a one-character wildcard in file names. To get it to treat the question mark literally, you need to either escape it with a backslash (not ideal, since then you might need to escape the backslash as well at some point) or enclose the whole string in ticks (technically prime marks, also called commonly called single-quotes).

0 Kudos
Lesley
MVP Gold
MVP Gold
‎2025-01-09 01:46 PM
In response to Bob_Zimmerman

would be solved them if you perform SIC reset via web interface of the firewall 😉 

GAIA embedded I always reset via web interface

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
Steve_Pearson
Collaborator
‎2025-01-13 01:28 AM
In response to Bob_Zimmerman

Yes, this is why the question mark didn't work for me!

0 Kudos
PhoneBoy
Admin
Admin
‎2025-01-09 03:49 PM

The SIC password is only used once: when trust is established to the management.
It does not need to be complex (i.e. containing "special characters") but you can make it long.
This is a particularly a good idea if you're deploying gateways automatically with cloud-init (relevant for CloudGuard Network instances). 

How long the password can be...not entirely sure.

the_rock
MVP Platinum
MVP Platinum
‎2025-01-09 04:06 PM

I know some people may disagree when I say this, but honestly, I always say to people you can easily use 1234 for SIC password, since its one-time password needed AND, on top of that, its encrypted, so really no need to be complex. I am fairly certain minimum is 4 characters, not sure about max length though.

Andy

Best,
Andy
0 Kudos
Steve_Pearson
Collaborator
‎2025-01-13 01:33 AM
In response to the_rock

Like you, I would normally use a simple password for SIC, but the password policy is very strict on this site so I tried to conform to that and it bit me!

Lesson learned, but the reason for this post was to see if there was actually a definition of what the SIC password must / must not contain, as I couldn't find anything.

PhoneBoy
Admin
Admin
‎2025-01-13 09:50 AM
In response to Steve_Pearson

Most likely the reason this isn't documented is because this issue hasn't come up before, given the one-time nature of SIC passwords.

0 Kudos
AkosBakos
MVP Silver
MVP Silver
‎2025-01-13 10:22 AM

Hi @Steve_Pearson 

And dont forget this useful sk:

https://support.checkpoint.com/results/sk/sk109148

Akos

 

----------------
\m/_(>_<)_\m/

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events