Password hash is different between generated by CLI command and displayed in configuration file

Password hash is different between generated by CLI command and displayed in configuration file

16946
Created On 04/22/20 04:48 AM - Last Modified 06/09/20 20:35 PM


Question


When we generate password hash by "request password-hash" CLI command, different string than the one displayed in configuration file (e.g. running-config.xml) is provided.
Which is the correct hash to use for API calls?

Here is a sample with Username: test and Password: admin.
  • Response string for "request password-hash" CLI command:
admin@pa-vm> request password-hash username test password admin

$1$appvmuym$Pv82iB/MCFXwOSNT4rE8N.
  • Record in configuration file:
<mgt-config>
    <users>
      <entry name="test">
        <phash>$1$nckeshrp$IsriK.sbWJQNgVqZlqktd0</phash>
      </entry>
    </users>
  </mgt-config>

Environment


  • Palo Alto Firewall.
  • Any PAN-OS.

Answer


When you use password hash in API or Panorama, you require to get the hash value generated by "request password-hash" CLI command.

This is expected behavior since the specific salt in the crypto is used to generate phash.

Additional Information


Sample situation in Knowledge Base article:
How to Change the Password of Administrative Users via XML API
 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kcsArticleDetail?id=kA10g000000PPkC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkcsArticleDetail