I was running v6.48 with default login (user: admin, pass: ) in safe controlled environment and decided to upgrade to v6.49. After upgrade complete i still logged in fine with default login, to be greeted with a skippable screen suggesting setting a new password. I cancelled the screen and continued, minding my own business and agenda. That repeated several times.
After a while I attempted to log into the same device again and was rejected with a message “invalid username or password” (via winbox / webfig / ssh / telnet). Same story happened on one other physical device and one virtual CHR that was being powered off in meantime. What I am trying to hint here is that there is no realistic way someone else logged in and set a password. It’s quite obvious v6.49 acts shady like this due to design decision or a bug.
How do i reclaim admin access to my devices? Tried older winbox with legacy mode, tried power cycling device and blocking access to NTP server to make it think it’s 1970. To no avail.
This thread also mentions that password changing screen is skippable http://forum.mikrotik.com/t/7-1rc2-expired-password-can-be-ignored/151538/1 Heck, if something is skippable it’s expected to be skipped with no massively negative consequences. If Mikrotik turns into Apple wanting to dictate users how to use or not use devices they purchased, they should at absolute minimum do a great job on their part. Want to enforce password change? Weird but alright, enforce it but don’t allow the process to be interrupted or skipped and be very clear and display alerts. How difficult is to put a note in release notes saying “WARNING: password policy changes, users who use default login and don’t set a new password within XX days after upgrading will lose access to their devices!”.
haha… I was testing some configuration lately, i think it was on a 952, and after the upgrade i skipped the password cause i would either way reset the device again… since i remember nothing kept me locked out from the device…
You are not aware of… Okay, thanks for contribution and unsolicited mentoring. Security steps aside, you missed the point - ROS seemingly introduced a breaking change that hasn’t been properly communicated.
Only two options:
A: not a “safe controlled environment” and someone else changed the password.
B: you changed the password or restored a backup containing a password and Alzeheimer wants to know your location.
A - Could have hypotetically happened on a physical device that runs 24/7. My first device is like that, it ran in the same setup and environent a year non stop prior the incident. The only changes were ROS upgrades, last being 6.49. And the same happened to CHR image @ VirtualBox on my machine in completely different environment and usage. I powered that one for short periods of time and then switched it off. Again, last change was upgrade to 6.49, after that default login stopped working. Strange coincidence.
B - Those are not my usage patterns. Haven’t done backup/restore for sure. Alzheimer more likely.
All this happened to several devices in two private environments, around the same date. And the biggest coincidence - not long after they all have been upgraded to 6.49. The same 6.49 that brought modifications related to handling of expired passwords and blank passwords, as mentioned changelog.
*) user - added "expired" user status with suggestion to change password (WinBox v3.29 required);
*) user - show "expired password" prompt for users with blank password;
Yeah I will eventually resort to perform netinstall and restore from backup on physical devices. Now it’s inconvenient because of distance and weather conditions.
tried power cycling device and blocking access to NTP server to make it think it’s 1970.
I have always seen RouterOS start from the previous shutdown date/time, 1970 is only for the first startup.
Maybe fiddle with the NTP source time, to go back in time.