Password Hash Changing

Author
lqueiroz
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/07/24 07:36:34
  • Status: offline
2019/07/24 07:59:14 (permalink) 5.2
0

Password Hash Changing

Hi All,
 
Has someone noticed the hash for some password types in the Fortigate's configuration changing every day, without any administrator action?
 
For example:
 
-Day one
 
config vpn certificate local
edit "Fortinet_CA_SSLProxy"
set password ENC 111111111111111111111111111111111==
set comments "This is the default CA certificate the SSL Inspection will use when generating new server certificates."
next
edit "Fortinet_SSLProxy"
set password ENC 111111111111111111111111111111111==
next
 
 
-Day two
 
config vpn certificate local
edit "Fortinet_CA_SSLProxy"
set password ENC 222222222222222222222222222222222==
set comments "This is the default CA certificate the SSL Inspection will use when generating new server certificates."
next
edit "Fortinet_SSLProxy"
set password ENC 222222222222222222222222222222222==
next
 
 
It is causing problems to our backup process, where our NMS system is understanding the configuration is changing every day and consequently downloading and archiving the "new" configuration file.
 
Thanks you very much,
Lindolfo
#1
emnoc
Expert Member
  • Total Posts : 6055
  • Scores: 404
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Password Hash Changing 2019/07/24 08:38:09 (permalink)
0
That's normal, every time you save the config in a export the hash would be different 
 

PCNSE 
NSE 
StrongSwan  
#2
Toshi Esumi
Expert Member
  • Total Posts : 2526
  • Scores: 241
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Password Hash Changing 2019/07/24 08:38:10 (permalink)
0
You need to skip those lines like discussed in below. Our backup/config diff tool does that.
https://github.com/ytti/oxidized/issues/931
 
#3
lqueiroz
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/07/24 07:36:34
  • Status: offline
Re: Password Hash Changing 2019/07/24 09:05:10 (permalink)
0

Hi, I considered skipping the "set password ENC" lines in the backup diff, however I will not have a backup when the password truly changes. Do you have any tip?
 
Thank you!
#4
lqueiroz
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/07/24 07:36:34
  • Status: offline
Re: Password Hash Changing 2019/07/24 09:07:41 (permalink)
0
Hey,
 
Do you know if this is an specific feature for some hardware/firmware models?
 
I have different models in the environment and some of them are not affected by this.
 
Thank you!
#5
Toshi Esumi
Expert Member
  • Total Posts : 2526
  • Scores: 241
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Password Hash Changing 2019/07/24 10:40:55 (permalink)
0
This should be the same throughout all FGT models.
According to our programmer, our tool actually keep saving all of them including those keep-changing password lines so that when a generation is retrieved, it would include legit ENC password. But when the diff is run to send out email for changes between the previous and the latest version, it removes those lines before sending the notification email.
 
 
 
#6
emnoc
Expert Member
  • Total Posts : 6055
  • Scores: 404
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Password Hash Changing 2019/07/24 13:37:29 (permalink)
0
yes we do the same item in our diff by just removing or ignoring those lines.
 
 
i.e
# before diff
 
  sed -i '/set password/d'   fgt.conf 
 
Also if you do not want to remove them due to formatting, just replace the string with XXXXXXXXXXXXXs
 
 
Ken Felix

PCNSE 
NSE 
StrongSwan  
#7
Jump to:
© 2021 APG vNext Commercial Version 5.5