Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
License_Support
Participant

Password hashes, sha512 and the expert password

 

When installing a Check Point 80.40 it sets the default password hash algorithm to MD5.

I want to change it to SHA512 and do that via the clish command line with this command: 

firewall> set password-controls password-hash-type SHA512

Then I can set the admin password hash with the new "standard" hash algorithm to the same password as i had before:

firewall> set user admin password
New password: ***************
Verify new password: ***************

TIP: To be allowed to set the same password as you had before you might need to run this first (Just remember to turn that one on again after the change to ensure passwords are not reused if you need that for compliance reasons): 
set password-controls history-checking false

I can alternatively set the password using the hash instead:

firewall> set user admin password-hash $6$rounds=10000$RoVKjytn$rz.nZFj2dkCX9381mfYiWiGbpp5R35XCAPIBo5.UVN/lUEwEsJ/oWRMXwVFPwufEYW4xJDd4ZZ9nkFVcrDQi..

TIP Also remember to run " save config "

My question is:

But how do I set the expert password with a hash ( so I can script / automate my installations ) ? 

firewall> set expert-password-hash $6$rounds=10000$RoVKjytn$rz.nZFj2dkCX9381mfYiWiGbpp5R35XCAPIBo5.UVN/lUEwEsJ/oWRMXwVFPwufEYW4xJDd4ZZ9nkFVcrDQi..
GAIA9999 Invalid Salted Hash

I also did not figure out where the expert encrypted password is stored - do any one here know how to retrieve it ?

Link to SK for changing password hashing algorithm ( for gaia OS 😞

# https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

TIP: The encrypted password for the users are stored in the local file called /etc/shadow

If you cat that file or run "grep admin /etc/shadow | cut -d: -f-2" from the expert command line, then you can see what type of encryption/hashing algorithm the users password starts with a $ sign and a number

Running the command dbget passwd:admin:passwd could also be used to show a users hashed password ( in this example the admin user) 

Look for if it starts with $1, $5 or $6 - it will tell you what encryption or hashing algorithm they were created with.

# ID | Method
# ───────────────────────────────────────────────
# $1 | MD5
# $2 | (2a) Blowfish (not in mainline glibc; added in some Linux distributions)
# $5 | SHA-256 (since glibc 2.7)
# $6 | SHA-512 (since glibc 2.7)
# ───────────────────────────────────────────────

Best regards 

Keld Norman

 

16 Replies
funkylicious
Advisor

Hi, 

You can find the hashed password for users in /etc/shadow .

Svendsen
Participant

It would seem that if you activate SHA256 it breaks.

If you activate SHA512 every command works as expected.

 

Think Checkpoint will need to revisit the feature who generates SHA256 hash.

0 Kudos
PhoneBoy
Admin
Admin

That might be worth a TAC case since I believe sha256 should work (or it did pre-R80.40).
Svendsen
Participant

It still works in R80.20 but after that it looks like trouble.

genisis__
Advisor

I have this:

set password-controls password-hash-type SHA512

and I still get this error.

Tobias_Moritz
Advisor

You said "I also did not figure out where the expert encrypted password is stored - do any one here know how to retrieve it?"

-> It is stored in the Gaia configuration database (/config/initial (plain-text) and /config/initial_db (SQLite v3)). You can retrieve it from expert shell with

dbget expertpwd:PWD

0 Kudos
K_montalvo
Advisor

@Tobias_Moritzi ran the dbget expertpwd:PWD command on expert mode but the output i get is on MD5 not plain-text , also i see that on clish > mode you can locate the expert password hash on line show configuration > (set expert-password-hash). I want to confirm if the expert password is stored on plain-text and if is on cleartext find a way to encrypt nor hash it

Copying @PhoneBoy in case that can advise us

0 Kudos
Tobias_Moritz
Advisor

As far as I know, it is only stored as hash.

But let's see if any employee can confirm this.

PhoneBoy
Admin
Admin

It should be hashed exactly the same way user passwords are hashed.

0 Kudos
K_montalvo
Advisor

Ok, how can i changed the hash algorithm from MD5 to SHA-256 for the expert password since is stored on the database?

0 Kudos
Tobias_Moritz
Advisor

Change the algorith for Gaia passwords, e.g. with

firewall> set password-controls password-hash-type SHA512

and change the expert password afterwards. The hash is now calculated using the new algorithm and stored in Gaia configuration database.

Changing the algorithm has no effect on existing password hashes in database, so setting a new password afterwards is mandatory.

K_montalvo
Advisor

@Tobias_Moritzperfect, how can i confirm that stored on database (At-Rest) is hash or plain-text? I can confirm that on the gateway CLI but just to confirm when in-transit from database to Gateway and at-rest itself on the database?

0 Kudos
Tobias_Moritz
Advisor

In transit? Gaia user passwords and Gaia expert password are stored locally in /etc/shadow (user passwords) and Gaia configuration database (expert password) on gateway, not in Check Point database on firewall management host.

Am I missing something here?

0 Kudos
K_montalvo
Advisor

1.PNG

 

Probably its me that im missing something, i just want to be 100% sure end to end in-transit or at-rest its is encrypted or hashed.

0 Kudos
PhoneBoy
Admin
Admin

Where are you concerned about the password being transmitted exactly?
All the methods to access the box and enter a password are encrypted.
The password is always stored in the configuration database as a hash.

0 Kudos
the_rock
Champion
Champion

I got exact same error when trying this in R81.10 version...followed below, no luick, getting Gaia 9999 invalid salted hash

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

I even changed hash, same problem. Verified whats in /etc/shadow, but no luck. I have a feeling maybe the process does not work in R81 code.

Maybe someone from CP can confirm this?