Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Mass creating local-db users from CLI

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Mass creating local-db users from CLI

L5 Sessionator

Hi Community,


We wish to add a batch of users to the local database, I'm just wondering if anyone has had experience with scripting this or doing this in batch.

 

With the command "set shared local-user-database user testuser" it requires separate user input to add the password so this is out of the question.

 

I thought the command "set shared local-user-database user testuser <passwordhash>" would be the solution, but what hash are we putting here? I presume the hashes aren't salted so what hashing algorithm is used?

 

How have people done this before? My only other thinking was via the XMLAPI but we really want to do via the CLI if possible, which I'm sure it is.

 

Thanks

Luke.

1 accepted solution

Accepted Solutions

L7 Applicator

Hi Luke

 

With the API you would probably have the same questions. This link should help you in your situation (with an additional command and the algorithms used): https://www.paloaltonetworks.com/documentation/81/pan-os/web-interface-help/device/device-local-user...

View solution in original post

9 REPLIES 9

L7 Applicator

Hi Luke

 

With the API you would probably have the same questions. This link should help you in your situation (with an additional command and the algorithms used): https://www.paloaltonetworks.com/documentation/81/pan-os/web-interface-help/device/device-local-user...

Hi @Remo

 

Perfect! Many thanks for the response, MD5 hashing works as expected.

 

Thanks,

Luke.

 

 

L2 Linker

I did this recently for "mass creating", and MD5 isn't needed, but you do need to break it up into two steps if you want a salted hash.

The article linked above includes the command 'request password-hash', which is half of how you get this done in the CLI (without API).   Note that, unlike MD5, if you test the same username/password, you'll get different output from the command, because the salt changes.

 

admin> set cli pager off
admin> request password-hash username test password bogus

$1$cllheyno$jz2SsGvrE2Gii1xeAVT2d/

admin> request password-hash username test password bogus

$1$xiawogxo$yKAz1IFTDotiOnXIqu9z2.

admin> request password-hash username test password bogus

$1$sumoabmi$tGZkhTpj536dlrfkkaowi.

 

 

Then you take the hashes and set it in the configure-mode CLI:

 

admin> set cli config-output-format set
admin> configure
admin# set shared local-user-database user test phash $1$xiawogxo$yKAz1IFTDotiOnXIqu9z2.

 

Or in Panorama:
admin# set template YOUR_TEMPLATE config shared local-user-database user test phash $1$sumoabmi$tGZkhTpj536dlrfkkaowi.

 

Hey @JW6224

 

Thanks very much for that insight; good to know this method also salts the hash too. I presume though this hash is still MD5.

 

The two-step process does take away from the automation that we were looking for, for the trade-off that you get a salted hash. I guess with anything like this, you must weigh up convenience vs the security aspect 😉

 

Thanks Again,

Luke.

@LukeBullimore

Do you want to paste all the user from a pre-generated csv or something like that or you you use a script anyway? 

But even if you want to pre-generate the hashes I assume you can do that without the request password-hash command, you just need to have the salt also in the string that you use as password hash when you henerate the user. I did not test it but if you use the same format as the request command generates ...

Hi @Remo

 

The idea was to have everything pre-made in a csv and then dump it into the CLI, using some delay in between commands using Tera Term or something.

 

You did get me a bit confused with your comment " you just need to have the salt also in the string that you use as password hash when you henerate the user." The only parameters that I thought you need for the command was the password hash and the username?

 

Cheers,

Luke.

 

 

Hi @LukeBullimore

 

Now I did confuse myself too 😛

Need to test a little before I write wrong things ...

L7 Applicator

Hi @LukeBullimore

 

I wasn't able to find out how exactly the salts and hashes are encoded in the output of the "request password-hash" command. Obviously it is not the plain MD5 hash, there is some additional encoding.

With this example:

$1$sumoabmi$tGZkhTpj536dlrfkkaowi

$1 probably is the algorithm, $sumoabmi seems to be the (encoded) salt and $tGZkhTpj536dlrfkkaowi is the salted and hashed password. ( @reaper: do you know how to get the output as provided by the command "request password-hash"?)

 

So the conclusion is, I think you cannot simply enter a hash with the create user command, you probably need to use the request command. If your interessted I could provide a little powershell script that will take the values from a CSV and then create the users for you over the XML API...

Hi,

 

Is there any model script or something where I can run the script and it will create all the users.

 

I am new to here and I couldn't get the clarity so I just wanted to know how to do the bulk user creation in Plao Alto.

 

Thanks in advance.😊

  • 1 accepted solution
  • 8266 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!