|
Starting from FortiOS v7.2.11, 7.4.8, and 7.6.1, the hash function used to securely store firewall administrator credentials in configuration is updated from SHA256 to PBKDF2.
When first upgrading from an earlier version, administrator passwords are still stored as SHA256 hashes until the matching administrator logs in successfully.
Notes:
- In FortiOS v7.2.10, v7.4.7, v7.6.0, and earlier, the hash function is SHA256.
- 'SH2' denotes SHA256.
- 'PB2' denotes PBKDF2.
Example configuration after upgrade (FortiOS v7.2.11):
In this example, the built-in administrator 'admin' has already logged in to the firewall successfully, so the associated credential was automatically updated.
config system admin
edit "admin" <----- Default admin.
set accprofile "super_admin"
set vdom "root"
set password ENC PB2Ow+O8B -----snip----- <----- PBKDF2.
next
edit "test_super_admin"
set accprofile "super_admin"
set vdom "root"
set password ENC SH2aZtOA -----snip----- <----- SHA256, same as previous firmware.
next
edit "test_prof_admin"
set accprofile "prof_admin"
set vdom "root"
set password ENC SH2r7JR7v -----snip----- <----- SHA256, same as previous firmware.
next
end
To enforce a PBKDF2 hash for all administrators:
- Require all administrators log in to the firewall at least once on the updated firmware version.
- Manually update the password of any remaining administrators using a super_admin account.
FortiGate # config system admin
FortiGate (admin) # edit test_super_admin
FortiGate (test_super_admin) # set password <new_password>
Please enter current administrator password: ******** <----- Password of logged in administrator.
FortiGate (test_super_admin) # show
config system admin
edit "test_super_admin"
set accprofile "super_admin"
set vdom "root"
set password ENC PB2N/Htll -----snip----- <----- PBKDF2.
next
end
FortiGate (test) # next
FortiGate (admin) # end
Note:
For backwards compatibility, by default the previous SHA256 hashes remain stored in the hidden 'old-password' setting after the password setting is updated to a PBKDF2 hash. The 'old-password' setting is not visible to administrators logged in to the firewall, but can be observed in a configuration backup taken by a super_admin.
config system admin
edit "admin"
set old-password ENC SH2G6rKGG -----snip----- <----- SHA256.
set accprofile "super_admin"
set vdom "root"
set password ENC PB2Ow+O8B -----snip----- <----- PBKDF2.
next
...
end
To fully remove SH2 hashes stored in old-password, enable the 'login-lockout-upon-weaker-encryption' setting in system password-policy. A warning shows asking the administrator to confirm the configuration change. In FortiOS v7.2.x and v7.4.x, the equivalent setting is 'login-lockout-upon-downgrade'.
config system password-policy
set login-lockout-upon-weaker-encryption enable
end
The setting "login-lockout-upon-weaker-encryption" enhances the resistance of stored passwords against brute force attacks.
Once enabled, changing the FortiOS firmware to a version where safer passwords are unsupported will lock out administrative users.
Do you want to continue? (y/n)y
Related documents:
New features or enhancements 7.2.11
Enhanced administrator password security 7.6.5
Troubleshooting Tip: Unable to login with local administrator after upgrade from FortiOS v7.2.11 to ...
|
