Password hashes, sha512 and the expert password

Mastering Compliance
Unveiling the power of Compliance Blade

WATCH NOW

SASE Masters:
Deploying Harmony SASE for a 6,000-Strong Workforce
in a Single Weekend

May the 4th (+4)
Navigating Paradigm Shifts in Cyber

CPX 2024 Content
is Here!

Get What You Need

Harmony SaaS
The most advanced prevention
for SaaS-based threats

LEARN MORE

CheckMates Go:
CPX 2024 Recap

LISTEN NOW

Create a Post

When installing a Check Point 80.40 it sets the default password hash algorithm to MD5.

I want to change it to SHA512 and do that via the clish command line with this command:

firewall> set password-controls password-hash-type SHA512

Then I can set the admin password hash with the new "standard" hash algorithm to the same password as i had before:

firewall> set user admin password
New password: ***************
Verify new password: ***************

TIP: To be allowed to set the same password as you had before you might need to run this first (Just remember to turn that one on again after the change to ensure passwords are not reused if you need that for compliance reasons):
set password-controls history-checking false

I can alternatively set the password using the hash instead:

firewall> set user admin password-hash $6$rounds=10000$RoVKjytn$rz.nZFj2dkCX9381mfYiWiGbpp5R35XCAPIBo5.UVN/lUEwEsJ/oWRMXwVFPwufEYW4xJDd4ZZ9nkFVcrDQi..

TIP Also remember to run " save config "

My question is:

But how do I set the expert password with a hash ( so I can script / automate my installations ) ?

firewall> set expert-password-hash $6$rounds=10000$RoVKjytn$rz.nZFj2dkCX9381mfYiWiGbpp5R35XCAPIBo5.UVN/lUEwEsJ/oWRMXwVFPwufEYW4xJDd4ZZ9nkFVcrDQi..
GAIA9999 Invalid Salted Hash

I also did not figure out where the expert encrypted password is stored - do any one here know how to retrieve it ?

Link to SK for changing password hashing algorithm ( for gaia OS 😞

# https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

TIP: The encrypted password for the users are stored in the local file called /etc/shadow

If you cat that file or run "grep admin /etc/shadow | cut -d: -f-2" from the expert command line, then you can see what type of encryption/hashing algorithm the users password starts with a $ sign and a number

Running the command dbget passwd:admin:passwd could also be used to show a users hashed password ( in this example the admin user)

Look for if it starts with $1, $5 or $6 - it will tell you what encryption or hashing algorithm they were created with.

# ID | Method
# ───────────────────────────────────────────────
# $1 | MD5
# $2 | (2a) Blowfish (not in mainline glibc; added in some Linux distributions)
# $5 | SHA-256 (since glibc 2.7)
# $6 | SHA-512 (since glibc 2.7)
# ───────────────────────────────────────────────

Best regards

Keld Norman