cant set password with certain special chars from command line

oldunixguy · February 14, 2022, 7:45am

I’m running router os 6.49.2. on RB450Gx4.
I am able to set a user password containing special characters such as caret, question mark, and apostrophe using WebFig and WinBox.
However, I cannot make it work from the command line. For example:
/user add name=abcde password=q?9^'pcT5jZ*z group=full
yields an error.

I have tried this surrounding it with quotes but it will not work either:
/user add name=abcde password=“q?9^'pcT5jZ*z” group=full

Entering q?9^'pcT5jZ*z into WebFig works just fine.

How do I make this work or is this a bug?
thanks
oldunixguy

Rugx · February 14, 2022, 8:49am

/user add name=abcde password="q9^'pcT5jZ*z" group=full

Works for me on the same rOS version

sindy · February 14, 2022, 10:10am

Escape the question mark using a ****, same like you’d have to escape a $ or a ".

Or create the user with a bogus password, and then use /user edit abcde password to set the one you really want.

(Just a joke: or upgrade to RouterOS 7 where the ? has been replaced by [F1] for invocation of the help.)

oldunixguy · February 15, 2022, 8:31am

So to be clear, when entering data into WinBox or WebFig fields for the password one does NOT need to escape anything?
And when one uses command line:
/user edit abcde password
or
/user add name=abcde password=q?9^'pcT5jZ*z group=full
which special characters need to be escaped? Does " and ’ in addition to ? ? How about an equal sign in the password?
Does one escape a backslash \ in the password with a second backslash?

Does
/user add name=abcde password=q?9^'pcT5jZz group=full
need to have quotations around the entire password like this:
/user add name=abcde password="q?9^'pcT5jZz" group=full
Or does that just put quotes into the actual password?

I ask because I am having trouble with specials ONLY thru the command line. All those specials in this example work literally without escaping or quoting from WinBox and WebFig.

For example what if /user add name=abcde password=q?9^'pcT5jZ*z group=full doesnt create a command entry error BUT it only stores a portion of the specified password. Then when I enter the same password at login time it too only takes a portion and passes the check even though the whole password is NOT used! In other words, how do we know we are getting the long, rich-charactered password we want?

The reason I ask this is because I have found a number of internet sites over the years that are broken in this way and they delude the user into thinking they have a long, rich password when it really recorded and later checks a subset because of bugs like this. I have also found more sites that accept long rich passwords at creation but fail to store them in their d.b. correctly (truncated on specials, etc) and will never succeed a compare at login. I have similarly seen the creation and storage is correct but entry processing at login is input truncated on specials and will never succeed.

I will try to do more testing to see if I can prove all of this works…

thanks
oldunixguy

bpwl · February 15, 2022, 9:59am

Just a thought …

Special chars in passwords only stop humans. The time that MS encrypted every 7 chars as a block is long gone, so is the need for more HEX values in one position.
A very long password now is just as secure for computer augmented attacks, as the human unfriendly special char password.

In the old days I had backspace, ctrl-S, ctrl-Q, DC1,DC2, DC3, DC4, ESC, … and other ctrl characters in my passwords.
Code page mapping for éèàïçäñ… etc helped as well.

rextended · February 15, 2022, 10:56am

For /user add name=abcde password=q?9^'pcT5jZz group=full the correct syntax only on TERMINAL is:
/user add name="abcde" password="q?9^'pcT5jZz" group="full"
/user add name="abcde" password="q?9^'pcT5jZ*z" group="full"
The only characters usable on terminal are:

[SPACE] ! " # $ % & ' ( ) * + , - . / 0...9 : ; < = > ? @ A..Z [ \ ] ^ _ ` a..z { | } ~

Some localized keyboards do not have some symbol, like the Italian keyboard do not have ` and ~
For some reaason the terminal do not accept +code for insert that characters, like do not accept +<Keypad 1,Keypad 2,Keypad 6> for the ~
Various methods can be used for paste/digit it directly on terminal, but unsupported characters still unsupported.

A good method is put the string everytime inside quotes, except if are obtained directly from one variable/function

All special characters must be put inside quotes, or, for one reason or another, cause errors.
Some chracters must be escaped
" if used as character, and not for contain a string, must be escaped like "
$ if used as character, and not for start a variable or function name, must be escaped like $
? on RouterOS 6.x Terminal must be escaped with \ like ? (stored script inside scirpt, scheduler, dhcp, ppp profiles, etc. , do not need to escape the ? )
** the \ is the escape symbol, for use \ as character instead, escape it like \**

All the others must not be used because RouterOS terminal do not support the remaining characters and the 16 bit chars.

For set a password (with one space at start) like

 !"#$%&'()*+,-./09:;<=>?@AZ[\]^_`az{|}~

added backslash before quote, dollar, question mark and backslash

/user add group="full" name="usethedamnquotesforstrings" password=" !"#$%&'()*+,-./09:;<=>?@AZ[\]^_`az{|}~"

added backslash before quote, dollar and backslash - NOT before question mark

/user add group="full" name="usethedamnquotesforstrings" password=" !"#$%&'()*+,-./09:;<=>?@AZ[\]^_`az{|}~"

put directly the input on fileld without escapes or quotes (is present one space at start of the string)

!"#$%&'()*+,-./09:;<=>?@AZ[]^_`az{|}~
Some other codes visible on exports:
\ before one [SPACE] or [TAB] or [carriage-return] or [line-feed]
mean the script continue on next non-white space (ignore all space, tab, carriage return, line-feed). Often used by "export".
_ = [SPACE] when significant space can be misunderstanded with useless [SPACE]
\t = [TAB] when significant [TAB] can be misunderstanded with useless [TAB]
\r = [carriage-return] when significant [CR] can be misunderstanded with useless [CR]
\n = [line-feed] when significant [LF] can be misunderstanded with useless [LF]

Example

/system script
add name=test owner=\
    admin source=":put\
    \_\"test tab and cr/lf \
    \t\r\
    \n\"\r\
    \n:put \"hey\""

Sob · February 15, 2022, 5:06pm

Simple way, if you are not sure how something should be entered using CLI, enter it somewhere in WinBox/WebFix and export it in CLI, e.g. if I create dummy firewall rule with “q?9^'pcT5jZ*z” as comment, export will give me:

/ip firewall raw
add action=accept chain=output comment="q\?9^'pcT5jZ*z"

And that can be used for other commands.

Very important thing is to stay away from any characters beyond basic 7-bit ASCII, because RouterOS has zero support for character sets (negative support could be even more fitting term). It may seem to work, but it doesn’t. If you enter something special, RouterOS sees it as some bytes, and it’s not even consistent between different interfaces.

For example, I want comment with “ěščřžýáíé”:

When entered in WinBox, it will show correctly in WinBox, exports as “\EC\9A\E8\F8\9E\FD\E1\ED\E9” (correct for cp1250 used by my Windows), but WebFig shows it as “ìèøýáíé”
When entered in WebFig, it will show as “a Y~ýáíé” in both WebFix and WinBox and exports as “\1Ba\rY~\FD\E1\ED\E9”, which is complete mess and I’m not sure what exactly happened there