topic Re: Mass creating local-db users from CLI in General Topics

Mass creating local-db users from CLI

LukeBullimore — Mon, 29 Oct 2018 11:20:13 GMT

Hi Community,

We wish to add a batch of users to the local database, I'm just wondering if anyone has had experience with scripting this or doing this in batch.

With the command "set shared local-user-database user testuser" it requires separate user input to add the password so this is out of the question.

I thought the command "set shared local-user-database user testuser <passwordhash>" would be the solution, but what hash are we putting here? I presume the hashes aren't salted so what hashing algorithm is used?

How have people done this before? My only other thinking was via the XMLAPI but we really want to do via the CLI if possible, which I'm sure it is.

Thanks

Luke.

Re: Mass creating local-db users from CLI

Remo — Mon, 29 Oct 2018 11:51:38 GMT

Hi Luke

With the API you would probably have the same questions. This link should help you in your situation (with an additional command and the algorithms used): https://www.paloaltonetworks.com/documentation/81/pan-os/web-interface-help/device/device-local-user-database-users

Re: Mass creating local-db users from CLI

LukeBullimore — Mon, 29 Oct 2018 12:06:49 GMT

Hi @Remo

Perfect! Many thanks for the response, MD5 hashing works as expected.

Thanks,

Luke.

Re: Mass creating local-db users from CLI

JW6224 — Mon, 29 Oct 2018 12:53:39 GMT

I did this recently for "mass creating", and MD5 isn't needed, but you do need to break it up into two steps if you want a salted hash.

The article linked above includes the command 'request password-hash', which is half of how you get this done in the CLI (without API). Note that, unlike MD5, if you test the same username/password, you'll get different output from the command, because the salt changes.

admin> set cli pager off
admin> request password-hash username test password bogus

$1$cllheyno$jz2SsGvrE2Gii1xeAVT2d/

admin> request password-hash username test password bogus

$1$xiawogxo$yKAz1IFTDotiOnXIqu9z2.

admin> request password-hash username test password bogus

$1$sumoabmi$tGZkhTpj536dlrfkkaowi.

Then you take the hashes and set it in the configure-mode CLI:

admin> set cli config-output-format set
admin> configure
admin# set shared local-user-database user test phash $1$xiawogxo$yKAz1IFTDotiOnXIqu9z2.

Or in Panorama:
admin# set template YOUR_TEMPLATE config shared local-user-database user test phash $1$sumoabmi$tGZkhTpj536dlrfkkaowi.

Re: Mass creating local-db users from CLI

LukeBullimore — Mon, 29 Oct 2018 13:24:30 GMT

Hey @JW6224

Thanks very much for that insight; good to know this method also salts the hash too. I presume though this hash is still MD5.

The two-step process does take away from the automation that we were looking for, for the trade-off that you get a salted hash. I guess with anything like this, you must weigh up convenience vs the security aspect 😉

Thanks Again,

Luke.

Re: Mass creating local-db users from CLI

Remo — Mon, 29 Oct 2018 13:41:26 GMT

@LukeBullimore

Do you want to paste all the user from a pre-generated csv or something like that or you you use a script anyway?

But even if you want to pre-generate the hashes I assume you can do that without the request password-hash command, you just need to have the salt also in the string that you use as password hash when you henerate the user. I did not test it but if you use the same format as the request command generates ...

Re: Mass creating local-db users from CLI

LukeBullimore — Mon, 29 Oct 2018 13:53:10 GMT

Hi @Remo

The idea was to have everything pre-made in a csv and then dump it into the CLI, using some delay in between commands using Tera Term or something.

You did get me a bit confused with your comment " you just need to have the salt also in the string that you use as password hash when you henerate the user." The only parameters that I thought you need for the command was the password hash and the username?

Cheers,

Luke.

Re: Mass creating local-db users from CLI

Remo — Mon, 29 Oct 2018 14:40:32 GMT

Hi @LukeBullimore

Now I did confuse myself too 😛

Need to test a little before I write wrong things ...

Re: Mass creating local-db users from CLI

Remo — Mon, 29 Oct 2018 21:52:11 GMT

Hi @LukeBullimore

I wasn't able to find out how exactly the salts and hashes are encoded in the output of the "request password-hash" command. Obviously it is not the plain MD5 hash, there is some additional encoding.

With this example:

$1$sumoabmi$tGZkhTpj536dlrfkkaowi

$1 probably is the algorithm, $sumoabmi seems to be the (encoded) salt and $tGZkhTpj536dlrfkkaowi is the salted and hashed password. ( @reaper: do you know how to get the output as provided by the command "request password-hash"?)

So the conclusion is, I think you cannot simply enter a hash with the create user command, you probably need to use the request command. If your interessted I could provide a little powershell script that will take the values from a CSV and then create the users for you over the XML API...

Re: Mass creating local-db users from CLI

SubaMuthuram — Wed, 27 Jan 2021 15:06:23 GMT

Hi,

Is there any model script or something where I can run the script and it will create all the users.

I am new to here and I couldn't get the clarity so I just wanted to know how to do the bulk user creation in Plao Alto.

Thanks in advance.😊