This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Pedro_Espindola
Advisor
‎2023-07-18 09:41 AM

Adding new local user using clish on Spark appliances

Hello Everyone,

I am trying to reconfigure a 1500 appliance using a CLI script exported from another appliance. However, the command to add a new local-user using password hash fails:

# clish -c 'show configuration' | grep local-user
add local-user name "test" password-hash "$5$uP8D78rQ$bYXgdHEoNfyynYHHkpMaHluTxtQkMGGkg.fFAffrtXC" is-temp-user "false"
# clish
> delete user test type local
> add local-user name test password-hash $5$uP8D78rQ$bYXgdHEoNfyynYHHkpMaHluTxtQkMGGkg.fFAffrtXC is-temp-user false
Could not set local-user password-hash: Not valid password hash
Could not set local-user password-hash: Not valid password hash

The reason why I want to do this is that I attempted a migration from R77.20.87 to R80.20.X, but I had a million problems and errors poping up and TAC is not being slow to respond. So I decided to configure from scratch using a script, but this would impact 20 local users if I am unable to create them.

Does anyone know how to make this command work?

 

PS: Adding administrators seems to work. The issue happens for local users (such as VPN users, etc).

The gateway is locally managed.

0 Kudos
6 Replies
the_rock
Legend
Legend
‎2023-07-18 10:55 AM

Will test this shortly and update you.

Andy

0 Kudos
the_rock
Legend
Legend
‎2023-07-18 11:04 AM

Lets see if SMB gurus can confirm, but the option seems pretty straight forward

 

Screenshot_1.png

0 Kudos
PhoneBoy
Admin
Admin
‎2023-07-18 02:06 PM

There are two possible issues here:

  • The SMB appliance don't support SHA256 hashes (thus where the "not valid password hash" comes in). 
  • When I try to use an MD5 hashed password (as suggested in the documentation), I get an "unknown error" when attempting to apply the command.

I'd try using an MD5-hashed password.
If it doesn't work on your version, please open a TAC case: https://help.checkpoint.com 

0 Kudos
Pedro_Espindola
Advisor
‎2023-07-18 02:39 PM
In response to PhoneBoy

Thanks for the suggestion.

The problem is that I don't have the passwords of all the users, so I wanted to export with show configuration and reimport in another clean installed gateway with the same model and firmware version.

The command that the SMB exports it cannot import. If it does not support SHA256 how is it exporting SHA256?

I suspected that there might be some salt that is exclusive to the box, so I ran the lines below in the same gateway, creating a user, exporting, deleting and importing, all in the same box and still it does not work:

> add local-user name test password vpn123
# clish -c 'show configuration' | grep local-user
add local-user name "test" password-hash "$5$uP8D78rQ$bYXgdHEoNfyynYHHkpMaHluTxtQkMGGkg.fFAffrtXC" is-temp-user "false"
# clish
> delete user test type local
> add local-user name test password-hash $5$uP8D78rQ$bYXgdHEoNfyynYHHkpMaHluTxtQkMGGkg.fFAffrtXC is-temp-user false
Could not set local-user password-hash: Not valid password hash
Could not set local-user password-hash: Not valid password hash

0 Kudos
the_rock
Legend
Legend
‎2023-07-18 06:05 PM
In response to Pedro_Espindola

I believe what @PhoneBoy said definitely sounds logical.

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2023-07-19 09:24 AM
In response to Pedro_Espindola

I recommend engaging with the TAC on this: https://help.checkpoint.com 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events