Configuring System Passwords in Gaia Clish

Important - On Scalable Platforms (Maestro and Chassis), you must run the applicable commands in Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. gClish of the applicable Security Group.

Best Practice - For security reasons, configure different passwords for the Expert mode and for GRUB.

Configuring the Expert mode password

Description

The Expert mode password protects the Expert shell against unapproved access.

The default Gaia shell is called clish.

Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell). is a restrictive shell (role-based administration controls the number of commands available in the shell).

While the use of Gaia Clish is encouraged for security reasons, Gaia Clish does not give access to low level system functions.

For low-level configuration, use the more permissive Expert mode shell. In addition, see sk144112.

To enter the Expert shell, run in Gaia Clish: expert
To exit from the Expert shell and go back to Gaia Clish, run: exit

Note - If a command is supported in Gaia Clish, it is not supported to run the corresponding command in Expert mode.

For example, to work with interfaces, Gaia Clish provides the commands "show interface" and "set interface".

Therefore, it is not supported to run the ifconfig command in the Expert mode.

Note - There is no default password for the Expert mode. You must configure a password for the Expert mode before you can use it.

Syntax to configure an Expert mode password in plain text

set expert-password

The password must contain at least 6 characters.

Syntax to configure an Expert mode password as a salted hash

set expert-password-hash <Hash String>

Important - You must run the "save config" command to save the new Expert mode password permanently.

Parameters

Parameter

Description

hash <Hash String>

The password as an MD5, SHA256, or SHA512 salted hash instead of plain text (the password string must contain at least 6 characters).

Use this option when you upgrade or restore using backup scripts.

You can generate the hash of the password with the "cpopenssl" command (run: cpopenssl passwd -help).

To configure the default hash algorithm, see:

Password Hashing Algorithm (in Gaia Portal Web interface for the Check Point Gaia operating system.)
Configuring Hashing Algorithm (in Gaia Clish)

Best Practice - Do not use MD5 hash because it is not secure.

Notes:

Format:

$<Hash Standard>$<Salt>$<Encrypted>

The length of this hash string must be less than 128 characters.
<Hash Standard>

One of these digits:
- 1 = MD5
- 5 = SHA256
- 6 = SHA512
<Salt>

A string of these characters:

a-z A-Z 0-9 . / [ ] _ ` ^

The length of this string must be between 2 and 16 characters.
<Encrypted>

A string of these characters:

a-z A-Z 0-9 . / [ ] _ ` ^

The length of this string must be:
- For MD5, less than 22 characters.
- For SHA256, less than 43 characters.
- For SHA512, less than 86 characters.

Configuring the GRUB password

Description

The GRUB password protects the GRUB menu and GRUB terminal.

Gaia asks for this password when you boot into the Maintenance Mode and revert Gaia snapshots.

Important:

You must configure a GRUB password before you boot into the Maintenance Mode or revert a Gaia snapshot.
If do not know your GRUB password, and Gaia does not boot into the Normal Mode, you must contact Check Point Support.

Syntax to configure a GRUB password in plain text

set grub2-password

The password must contain at least 6 characters.

Syntax to configure a GRUB password as a SHA512 salted hash

set grub2-password-hash <Hash String>

Use the slated hash configuration when you upgrade or restore with user-defined shell scripts.

Important - Gaia saves the new GRUB password automatically.

Parameters

Parameter

Description

hash <Hash String>

The password as a SHA512 salted hash instead of plain text.

Notes:

To get a hash string for a password, run this command in the Expert mode:

grub2-mkpasswd-pbkdf2

Format of the hash string:

grub.pbkdf2.sha512.<Rounds>.<Salt>.<Checksum>

The length of this hash string must be between 282 and 512 characters.
grub.pbkdf2.sha512

A constant string.
<Rounds>

The number of iterations stored in the decimal format. In Gaia OS, this number is always 10000.
<Salt>

The salt string that is encoded using upper-case hexadecimal digits.

The length of this string must be 128 characters.
<Checksum>

The resulting derived key that is encoded using upper-case hexadecimal digits.

The length of this string must be 128 characters.

Example 1 - Plain text

gaia> set grub2-password

Enter new grub2 password: *

Enter new grub2 password (again): *

Password is only 1 characters long; it must be at least 6 characters in length.

Enter new grub2 password: ******

Enter new grub2 password (again): ******

Password is not complex enough; try mixing more different kinds of characters (upper case, lower case, digits, and punctuation).

Enter new grub2 password: *******

Enter new grub2 password (again): *******

gaia>

gaia> show configuration grub2-password

set grub2-password-hash grub.pbkdf2.sha512.10000.B8A(---truncated---)7D0.017(---truncated---)623

gaia>

Example 2 - Salted SHA512 hash

[Expert@gaia:0]# grub2-mkpasswd-pbkdf2

Enter password: *******

Reenter password: *******

PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.B8A(---truncated---)7D0.017(---truncated---)623

[Expert@gaia:0]#

[Expert@gaia:0]# clish

gaia> set grub2-password-hash grub.pbkdf2.sha512.10000.B8A(---truncated---)7D0.017(---truncated---)623

gaia>

gaia> show configuration grub2-password

set grub2-password-hash grub.pbkdf2.sha512.10000.B8A(---truncated---)7D0.017(---truncated---)623

gaia>