- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
10-29-2018 04:20 AM
Hi Community,
We wish to add a batch of users to the local database, I'm just wondering if anyone has had experience with scripting this or doing this in batch.
With the command "set shared local-user-database user testuser" it requires separate user input to add the password so this is out of the question.
I thought the command "set shared local-user-database user testuser <passwordhash>" would be the solution, but what hash are we putting here? I presume the hashes aren't salted so what hashing algorithm is used?
How have people done this before? My only other thinking was via the XMLAPI but we really want to do via the CLI if possible, which I'm sure it is.
Thanks
Luke.
10-29-2018 04:51 AM
Hi Luke
With the API you would probably have the same questions. This link should help you in your situation (with an additional command and the algorithms used): https://www.paloaltonetworks.com/documentation/81/pan-os/web-interface-help/device/device-local-user...
10-29-2018 04:51 AM
Hi Luke
With the API you would probably have the same questions. This link should help you in your situation (with an additional command and the algorithms used): https://www.paloaltonetworks.com/documentation/81/pan-os/web-interface-help/device/device-local-user...
10-29-2018 05:53 AM
I did this recently for "mass creating", and MD5 isn't needed, but you do need to break it up into two steps if you want a salted hash.
The article linked above includes the command 'request password-hash', which is half of how you get this done in the CLI (without API). Note that, unlike MD5, if you test the same username/password, you'll get different output from the command, because the salt changes.
admin> set cli pager off
admin> request password-hash username test password bogus
$1$cllheyno$jz2SsGvrE2Gii1xeAVT2d/
admin> request password-hash username test password bogus
$1$xiawogxo$yKAz1IFTDotiOnXIqu9z2.
admin> request password-hash username test password bogus
$1$sumoabmi$tGZkhTpj536dlrfkkaowi.
Then you take the hashes and set it in the configure-mode CLI:
admin> set cli config-output-format set
admin> configure
admin# set shared local-user-database user test phash $1$xiawogxo$yKAz1IFTDotiOnXIqu9z2.
Or in Panorama:
admin# set template YOUR_TEMPLATE config shared local-user-database user test phash $1$sumoabmi$tGZkhTpj536dlrfkkaowi.
10-29-2018 06:24 AM
Hey @JW6224
Thanks very much for that insight; good to know this method also salts the hash too. I presume though this hash is still MD5.
The two-step process does take away from the automation that we were looking for, for the trade-off that you get a salted hash. I guess with anything like this, you must weigh up convenience vs the security aspect 😉
Thanks Again,
Luke.
10-29-2018 06:41 AM
Do you want to paste all the user from a pre-generated csv or something like that or you you use a script anyway?
But even if you want to pre-generate the hashes I assume you can do that without the request password-hash command, you just need to have the salt also in the string that you use as password hash when you henerate the user. I did not test it but if you use the same format as the request command generates ...
10-29-2018 06:53 AM
Hi @Remo
The idea was to have everything pre-made in a csv and then dump it into the CLI, using some delay in between commands using Tera Term or something.
You did get me a bit confused with your comment " you just need to have the salt also in the string that you use as password hash when you henerate the user." The only parameters that I thought you need for the command was the password hash and the username?
Cheers,
Luke.
10-29-2018 07:40 AM
Now I did confuse myself too 😛
Need to test a little before I write wrong things ...
10-29-2018 02:52 PM
I wasn't able to find out how exactly the salts and hashes are encoded in the output of the "request password-hash" command. Obviously it is not the plain MD5 hash, there is some additional encoding.
With this example:
$1$sumoabmi$tGZkhTpj536dlrfkkaowi
$1 probably is the algorithm, $sumoabmi seems to be the (encoded) salt and $tGZkhTpj536dlrfkkaowi is the salted and hashed password. ( @reaper: do you know how to get the output as provided by the command "request password-hash"?)
So the conclusion is, I think you cannot simply enter a hash with the create user command, you probably need to use the request command. If your interessted I could provide a little powershell script that will take the values from a CSV and then create the users for you over the XML API...
01-27-2021 07:06 AM
Hi,
Is there any model script or something where I can run the script and it will create all the users.
I am new to here and I couldn't get the clarity so I just wanted to know how to do the bulk user creation in Plao Alto.
Thanks in advance.😊
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!