Password hash is different between generated by CLI command and displayed in configuration file
16946
Created On 04/22/20 04:48 AM - Last Modified 06/09/20 20:35 PM
Question
When we generate password hash by "request password-hash" CLI command, different string than the one displayed in configuration file (e.g. running-config.xml) is provided.
Which is the correct hash to use for API calls?
Here is a sample with Username: test and Password: admin.
- Response string for "request password-hash" CLI command:
admin@pa-vm> request password-hash username test password admin
$1$appvmuym$Pv82iB/MCFXwOSNT4rE8N.
- Record in configuration file:
<mgt-config>
<users>
<entry name="test">
<phash>$1$nckeshrp$IsriK.sbWJQNgVqZlqktd0</phash>
</entry>
</users>
</mgt-config>
Environment
- Palo Alto Firewall.
- Any PAN-OS.
Answer
When you use password hash in API or Panorama, you require to get the hash value generated by "request password-hash" CLI command.
This is expected behavior since the specific salt in the crypto is used to generate phash.
Additional Information
Sample situation in Knowledge Base article:
How to Change the Password of Administrative Users via XML API