Request: add user with password hash

mada3k · February 8, 2020, 1:33pm

And preferably have it visible in configuration as well. Basically all platforms have this since ever.

Example:

/user add name=johndoe group=write hash-sha256=5d5fda4a9d1d0ee505baef750cdfe379dd0cb861

It’s a must when you have multiple devices and you are mandated that all staff shall have their own logins, and you can’t have cleartext passwords laying around. Yes, I know that RADIUS is possible, but RADIUS not always reachable.

spacex · February 8, 2020, 11:55pm

yes i need the same thing too

OlofL · February 20, 2020, 8:55am

Agree with this. Adding password with a hash is very critical, and a dealbreaker when automating big projects.

bpwl · February 20, 2020, 10:55pm

Other vendors ( like Cisco, Fortinet, …) will never allow to inject a user/password (hash) combination for an administrator. This would be a way to either alter or reset the admin password or to inject an user with admin rights and known password. Depending on the hashing technique (and “salt” ) the hash may/should be different for the same username/password combination on different devices, or even on the same device at different instances.

dmayan · June 29, 2021, 7:34pm

+1 We need this ASAP.

thanks

Markusk · August 25, 2021, 8:57am

A Feature we would urgently need

Best Regards

MK

lula · August 25, 2021, 11:08am

+1 Would be a nice feature to manage user with automated scripts

changeip · August 25, 2021, 2:49pm

+1 yes!

rextended · August 25, 2021, 2:58pm

If is not possible, let us export full user database (like certificate database, dude database and user-manager database)
forcefully aes-sha256 password protected
like the “backup” but only with user database.
You have ready 98% of code… simply add a flag on backup “export user only”
and add on restore “import user only”…

psztoch · December 13, 2023, 10:49am

+1 yes!

millenium7 · December 15, 2023, 3:44am

It is stupid that this is still not a thing
If nothing else, hash is extremely useful for identifying vulnerable passwords. I.e. old/outdated/common passwords on devices that should be changed. This is EASILY checked if the hash exists in the config, very simple regex or any other comparator that scans config files. It is a bloody pain in the ass to do it any other way (having to write scripts that attempt logins, generating tons of error trash in the log file)

Ironically including the hash is actually far more secure for the above reason, also to check if a password has successfully changed via mass push, or was unintentionally altered at some point

The smart method is RADIUS logins for all users, monitoring platforms etc and visible hashes for local users. But monitoring/management platforms are gimped without the ability to show hashes of user accounts. FFS mikrotik pull your finger out and include this