What are missing in /export and why. Bug?

Jotne · October 1, 2022, 6:39am

I do see that RouterOS does not export system users. (tested on 6.49.9 7.5 7.6beta10)

As you see here, no users show in /export

/export
# oct/01/2022 06:32:54 by RouterOS 7.6beta10
# software id = 
#
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/ip dhcp-client
add interface=ether1
/system identity
set name=M-7.6b10

But /user/export do show the users

/user/export
# oct/01/2022 06:34:05 by RouterOS 7.6beta10
# software id = 
#
/user
add comment="system default user" group=full name=admin
add group=full name=demo
add group=read name=user

Why does not /export show the users and what other stuff are missing in an export?

I would also like to see the user password in /export show-sensitive
Not to important, but that is what show-sensitive are made for?

millenium7 · October 1, 2022, 6:45am

Yeah its a crap design decision/issue/bug/feature from MikroTik. I would REALLY REALLY REALLY REALLY like for all user accounts including MD5/SHA hashes of passwords to be included in /export
It’s way too easy to replace a faulty router, load the backup config and ‘forget’ to change the user details, potentially exposing a router with admin/blank
It’s also impossible to audit passwords. If user accounts AND hashes were included then known hashes for old/insecure passwords (i.e. core staff leaving and certain routers needing local passwords changed) could be automatically checked and a notification raised if it wasn’t changed
I can go ahead and put a mass password change, but I can’t audit it and actually verify it happened

I really hope this is ‘fixed’ and hashes get included with config at some point
Other things that aren’t included (such as certificate files) I feel probably shouldn’t be included in a config, but again a hash would be nice so that if restoring a config, it can be verified after applying to see what was missed. The certificate itself doesn’t need to be in the config, but if it was a hash (calculated every time /export is run) it would verify if said certificate actually exists on the device

Jotne · October 1, 2022, 6:54am

Other problem with this behavior, how can user know what are exported and what are not.
I tried to find it out, but not mention anywhere.
https://wiki.mikrotik.com/wiki/Manual:Configuration_Management

holvoetn · October 1, 2022, 7:10am

Let’s stick to the point where we agree it is “Work In Progress”

Also noticed on ROS7 some things do become available when using show-sensitive (where they should be shown regardless) but other things never show.
And yes, users is one of them.