Hi,

Same result. Admin password hash works fine, expert password hash doesn't:

GW000 login: admin
Password:
GW000> expert
Enter expert password:
Wrong password, exiting.

By the way, I'm testing in 1200R gateway.

sk119633 may help with this

The way I found to set expert password-hash using autoconf.clish was to set the password in clish and then copy the value from /flash/expert_pass_ to file.

I guess the hashing algorithm for expert password is not MD5 as it is with admin password hashes.

Enclose the hashed string in single quotes didn't solved it.

R77.20.87 CLI Guide:

set expert password

Description

Sets the initial password or password hash for the expert shell

Syntax

set expert {password|password-hash} {<pass>|<pass_hash>}

Parameters

Example

set expert password-hash $1$fGT7pGX6$oo9LUBJTkLOGKLhjRQ2rw1

Output

Success shows OK. Failure shows an appropriate error message.

Comments

To generate a password-hash, you can use this command on any Check Point SMB Appliance gateway (as an expert user).

cryptpw –a md5 <password string>

If this works on CLI only it would be an autoconf.clish limitation - you could even involve TAC !

Example.

[Expert@GW000]# cryptpw -a md5 ClearPassw0rd
$1$byBwFTca$iOzMEY5EfDZ/deRgXaXKi1
[Expert@GW000]# exit

...

Gateway-ID-7F99045E> set expert password-hash $1$byBwFTca$iOzMEY5EfDZ/deRgXaXKi1
Setting expert password with hash
OK
Gateway-ID-7F99045E> expert
Enter expert password:
Wrong password, exiting.

Anyone else with the same issue?

You should involve TAC, this sounds like incorrect behaviour !

The slightly different command makes no difference at all, so your post is just superfluous:

- if you just use #cryptpw NewPassword md5 will be always used by default

- to use -m or -a makes no difference at all and is not needed if you want md5 be used

Yes, I was referring to the cryptpw command . The -a doesn't work in case someone tries and yes, the command you just posted works.

You mean -a does not work in scripts, but -m does ? You did not write that...

Syntax in CLI is:

BusyBox v1.36.1 (2024-03-18 18:58:40 IST) multi-call binary.
Usage: cryptpw [-P FD] [-m TYPE] [-S SALT] [PASSWORD] [SALT]
Print crypt(3) hashed PASSWORD
-P N Read password from fd N
-m TYPE des,md5,sha256/512 (default )
-S SALT   

But -a (old syntax afaik) does work in CLI, and default is md5. 

Correct, -a doesn't work. -m works but isn't needed as you pointed out, just md5 is required plus the password

No, md5 is not required as it is the default, so cryptpw password will be sufficient. cryptpw -m sha512 password will give a hash starting with $6 denoting sha-512. I see no script used in your post, and in expert mode on a 1500 -a SHA512 will work. I have tested the following script on a 1600:

#!/bin/sh
cryptpw -a sha512 karin

 Output is:

[Expert@sweet-sixteen]# ./test.sh
$6$WUar.r5CXaB6JlQj$aNrkcJXFfP/esvcQB4GkF0XgOZMLf0Rr3WHwR57aAFG/ZMCUwr37HzAGE4iSPusQFRtCzRir4ZLlW8oiwhVd41

No error using -a ! So i see no use in your post...

Thanks for your kind reply, it is very helpful as I didn't know -a or -m weren't needed and that MD5 was default as it looked like SHA was the default from the command output
My point was that in an earlier post, -a was used which doesn't work for me. See the output. I don't get an error, I just get the help. I was looking to script it, but it didn't work when I typed it manually. I later found -m worked and didn't investigate further as I got what I needed

Yes we don't need to use -m md5 but -m md5 works if it is used regardless if it is needed or not. The command works if I use -m or if I don't use -m. See below:

# cryptpw –a md5 NewPassword
BusyBox v1.36.1 (2024-03-18 18:58:40 IST) multi-call binary.

Usage: cryptpw [-P FD] [-m TYPE] [-S SALT] [PASSWORD] [SALT]

Print crypt(3) hashed PASSWORD

-P N Read password from fd N
-m TYPE des,md5,sha256/512 (default )
-S SALT

# cryptpw -m md5 NewPassword
$1$pztzUpMk$wCHZ57cZzc6p1lpDKJ/TR0
# cryptpw NewPassword
$1$OWyL25XG$uw3.N0yi1el.tPLXS.M6P/
# fw ver
This is Check Point's 1570 Appliance R81.10.17 - Build 654