Recovering the root password with an agadmin password.

Description:

 

On an AppGate system the only traditional Unix account available is the root account. The user root has an entry in in the unix system password and shadow files. All other users are handled by the AppGate software and those passwords stored in separate AppGate specific password file.

The root account, albeit a normal unix account, also works a little bit different compared to standard unix system in one respect and this is when it comes to using it over the network. It is not possible to login (ssh or anything else) as root over the network. The only way to gain root privileges are:

  • Do su from an already established command prompt (shell)
  • Login on the physical serial or KVM (Keyboard/Video/Mouse) console.
This all means that the root account is normally less security sensitive than any other AppGate account with access to the administrator-role for example. And as will be shown below it is actually sufficient to have the access to the administrator-role be able to change the root password.

Recovery process

 

  1. Use the AppGate Console and connect with a user with administrator-role membership. If you have lost the password to agadmin account and all other accounts with administrator-role membership, you must contact AppGate support for further help.
  2. Transfer the file /etc/shadow from the AppGate system to your local PC

  3. Edit the file.

    Warning! Edit the file with an editor that you are sure is not messing up line endings. Don't use notepad or wordpad! If you are uncertain, install the editor jEdit from http://www.jedit.org/index.php?page=download .

    The beginning of the shadow file will look like this: 

    root:kF/vcqiRp0OQk:6445::::::
    daemon:NP:6445::::::
    bin:NP:6445::::::
    sys:NP:6445::::::
    adm:NP:6445::::::
    uucp:NP:6445::::::
    nuucp:NP:6445::::::
    smmsp:NP:6445::::::
    ....
    In the above example the string kF/vcqiRp0OQk is the one way encrypted root password. You can not decrypt it but you can change it to a known one. You can use this string: 
    	  
    fZWESpm1AlCqw
    and it will give you the simple root password: 
    pass
  4. Save the file.
  5. Transfer the file back to the same position on the AppGate server.
  6. Using the AppGate Console -> Run commands -> terminal, open a normal terminal window on the AppGate system and now become root using the su command and the password pass
  7. Change the root password to something better than pass using the command /usr/bin/passwd.rootonly
Updated 2008-12-17 14:41 Copyright © 2002-2009 AppGate Network Security AB. All rights reserved.
Legal notice 		Contact AppGate Network Security
Comments to the webmaster