How are passwords and keys stored in PAN xml config files

Reply
L4 Transporter

Re: How are passwords and keys stored in PAN xml config files

Do you remove private keys also ? I have many private keys here for SSL decryption and VPN.

L2 Linker

Re: How are passwords and keys stored in PAN xml config files

Yes, we have removed the public and private keys.  These seem to be at the beginning of the XML configuration file and can be manually removed.

L4 Transporter

Re: How are passwords and keys stored in PAN xml config files

After some investigations, the techdump.tgz file seems to be cleaned of its passwords and private keys, so techdumps are not a threat. Just be careful when you export the config.xml , this one has them all.

SRA
L4 Transporter

Re: How are passwords and keys stored in PAN xml config files

Hashed password. You can use openssl passwd to compute the md5 phash.

Not applicable

Re: How are passwords and keys stored in PAN xml config files

Yes, administrator passwords for login to the firewall are hashed (looks like standard Linux/FreeBSD salted MD5), but what about passwords used externally? For example, the bind-password for LDAP or ActiveDirectory service accounts. Mine starts with <bind-password>-AQ==

L3 Networker

Re: How are passwords and keys stored in PAN xml config files

you can also use the 'request password-hash' operational mode CLI command.

L3 Networker

Re: How are passwords and keys stored in PAN xml config files

I also noticed that when I create users via the API in 4.1, I can send the passwords in clear.

Highlighted
L1 Bithead

Re: How are passwords and keys stored in PAN xml config files

guys,

Is this still the case for 5.0.X PAs ?

L6 Presenter

Re: How are passwords and keys stored in PAN xml config files

Given that PA recently got approved for various security oriented certificates I sure do hope this has been fixed or at least noted in these tests:

http://researchcenter.paloaltonetworks.com/2013/06/usgv6-for-ipv6-common-criteria-eal-4-and-certific...

http://researchcenter.paloaltonetworks.com/2013/07/update-on-certifications-dept-of-defense-uc-apl/

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!