For details on cookie usage on our site, read our Privacy Policy
How are passwords and keys stored in PAN xml config files
- LIVEcommunity
- Discussions
- General Topics
- Re: How are passwords and keys stored in PAN xml config files
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
How are passwords and keys stored in PAN xml config files
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
12-12-2011 11:20 AM
Are they hashed before storing them in the config files? By the looks of them, it seems like the PAN appliance is storing them in an encrypted format. If so, can they be decrypted?
For example, an OSPF key is stored as follows
"-AQ==xxxxxxxxxxxxx=xxxxxxxxxxxxx=="
This pattern can be observed in almost all of the keys/passwords stored in the XML config. Is there a way to decrypt these keys. I am particularly interested in the OSPF MD5 keys as I need to add new routers to our network but I don't know the key.
Has anyone successfully decrypted a PAN key?
Thanks.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
12-26-2011 01:05 AM
Do you remove private keys also ? I have many private keys here for SSL decryption and VPN.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
12-27-2011 04:55 AM
Yes, we have removed the public and private keys. These seem to be at the beginning of the XML configuration file and can be manually removed.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
12-27-2011 04:57 AM
After some investigations, the techdump.tgz file seems to be cleaned of its passwords and private keys, so techdumps are not a threat. Just be careful when you export the config.xml , this one has them all.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
12-28-2011 07:15 PM
Hashed password. You can use openssl passwd to compute the md5 phash.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
12-28-2011 07:58 PM
Yes, administrator passwords for login to the firewall are hashed (looks like standard Linux/FreeBSD salted MD5), but what about passwords used externally? For example, the bind-password for LDAP or ActiveDirectory service accounts. Mine starts with <bind-password>-AQ==
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
01-02-2012 07:29 PM
you can also use the 'request password-hash' operational mode CLI command.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
01-03-2012 12:11 AM
I also noticed that when I create users via the API in 4.1, I can send the passwords in clear.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
08-29-2013 02:33 PM
guys,
Is this still the case for 5.0.X PAs ?
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
08-30-2013 02:39 PM
Given that PA recently got approved for various security oriented certificates I sure do hope this has been fixed or at least noted in these tests:
http://researchcenter.paloaltonetworks.com/2013/07/update-on-certifications-dept-of-defense-uc-apl/
- Panorama 10.1.6 wants to push keys and secret every time in Panorama Discussions
- Failed migration to Panorama 10.1.3 in Panorama Discussions
- Schedule Export of Configuration Files Questions in General Topics
- Panorama - Wrong Password Hashes/Salts After Migration To Panorama in Panorama Discussions
- User-ID Windows agent failing to query in General Topics
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
