Authenticating to SMB appliances using only the first 8 characters of the Administrator password is allowed
Administrator passwords which were created or changed while using R77.20.85 and later versions (mentioned earlier) are enforced with a weaker password hash algorithm than previous versions.
To upgrade password hash complexity, refer to the solution of this sk.
This problem was fixed. The fix is included in:
Check Point recommends to always upgrade to the most recent version (Check Point 700 appliance / Check Point 910 appliance / Check Point 1400 appliance).
Once upgrading, the configured passwords still remain with the weaker hash algorithm.
Therefore, it is required to change all the Administrators's passwords or re-create the Administrator users.
The following script can be executed in Expert mode in order to detect Administrator users with the weaker password hash:
#!/bin/bash
while read p; do
user="$(echo $p | cut -d ":" -f 1)"
user_hash="$(echo $p | cut -d ":" -f 2)"
if [[ $user_hash == *"*"* || $user_hash == *"!"* || $user_hash == *"$"* ]]; then
continue
fi
echo $user
done < /etc/shadow
How to use the script:
- Copy the script to a notepad file and name it as you like, in our example it would be "admin_check".
- Change the extension of the notepad file to .sh
- Copy the admin_check.sh file to /storage directory.
- Go to /storage directory, by executing the command "cd /storage" in Expert mode.
- Give the script execute privileges, by executing the command "chmod 700 admin_check.sh" in Expert mode.
- Convert the file to UNIX format, by executing the command "dos2unix admin_check.sh" in Expert mode.
- Run the script, by executing the command "admin_check.sh"
- The affected users will be printed to the screen.
|
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.
|