Page 1 of 1

Can't change username on ROS 6.43

Posted: Wed Sep 12, 2018 1:41 pm
by nicolasemmanuelc
Hello, recently I upgrade my RBSXT5HacD to the lastest version available (6.43 stable) and after it reboot I login and try to change default username (admin) and I can not do that in winbox because the textbox are disabled, then I try throug CLI and get this massage
[admin@MikroTik] /user> set admin name=comunicaciones
failure: user name can't be changed
What I'm doing wrong? What change about "user" section I'm missing on this release?
Thanks! Have a good day!

Re: Can't change username on ROS 6.43  [SOLVED]

Posted: Wed Sep 12, 2018 2:21 pm
by normis
Make a new user, then re-login. There are big security changes in last versions, rename is no longer possible.

Re: Can't change username on ROS 6.43

Posted: Wed Sep 12, 2018 2:26 pm
by nicolasemmanuelc
Thanks Normis! I will do that!

Re: Can't change username on ROS 6.43

Posted: Wed Sep 19, 2018 8:00 pm
by AlainCasault
Make a new user, then re-login. There are big security changes in last versions, rename is no longer possible.

Hello Normis,

Can you explain what this change addresses, what security recommendation is met.

I'm not a security expert, so I don't get it. "Create/Delete" ends up with the same result as "Rename".

Best regards,

Re: Can't change username on ROS 6.43

Posted: Thu Sep 20, 2018 12:17 pm
by whatever
The only technical reason I can think of is, that the username is now part of the salt for the new password hashes. Otherwise it might just be a case of "not yet implemented".

Re: Can't change username on ROS 6.43

Posted: Thu Oct 11, 2018 5:25 pm
by man
Also a bit strange for me.
So in order to secure an access to the admin panel we may only change the password?
Am i wrong thinking that changing of user name and password is much stronger protection then just a password?

Re: Can't change username on ROS 6.43

Posted: Thu Oct 11, 2018 6:21 pm
by fragtion
Also a bit strange for me.
So in order to secure an access to the admin panel we may only change the password?
Am i wrong thinking that changing of user name and password is much stronger protection then just a password?
I think it's safe to assume that changing the admin password to something "uncrackable" like a 20-character long string with special characters, and then creating a new admin user with your desired password, will achieve the same effective level of security as changing the admin username to your desired new username and then setting that to your desired password. I mean there's not a remote chance in hell that anyone is going to crack a 20-character long password string with special characters via brute force over telnet/ssh - they can forget it. So yeah, technically changing the username IS "theoretically" stronger, but in a case like this that advantage is almost totally negligible/non-existent.

Re: Can't change username on ROS 6.43

Posted: Thu Oct 11, 2018 6:52 pm
by Sob
@man: You can always create completely new user and disable/delete original "admin".

Re: Can't change username on ROS 6.43

Posted: Thu Oct 11, 2018 9:49 pm
by AlainCasault
@man: You can always create completely new user and disable/delete original "admin".
+1

I agree. Deleting "admin", even if it has a pwd from hell is that much more secure.


Sent from Tapatalk


Re: Can't change username on ROS 6.43

Posted: Fri Oct 12, 2018 12:47 pm
by man
Thanks guys!
I want to create a HotSpot and need to be sure that system will be "Hacker resistant" ( sure i know that if some one really want to hack a system it will be done...)
I have already blocked all pings from Hotspot network at firewall filter and so on ...

Re: Can't change username on ROS 6.43

Posted: Fri Oct 12, 2018 3:21 pm
by AlainCasault
Thanks guys!
I want to create a HotSpot and need to be sure that system will be "Hacker resistant" ( sure i know that if some one really want to hack a system it will be done...)
I have already blocked all pings from Hotspot network at firewall filter and so on ...
I like your choice of word, "resistant". You look like someone who understands that nothing is ever "proof".

Cheers,


Sent from Tapatalk


Re: Can't change username on ROS 6.43

Posted: Thu Feb 14, 2019 8:12 am
by macsrwe
@man: You can always create completely new user and disable/delete original "admin".
+1

I agree. Deleting "admin", even if it has a pwd from hell is that much more secure.
And for those of us who have already been doing that for years with an initialization script, MikroTik has just made that even more difficult. :-(

Re: Can't change username on ROS 6.43

Posted: Thu Feb 14, 2019 8:29 am
by vecernik87
And for those of us who have already been doing that for years with an initialization script, MikroTik has just made that even more difficult. :-(
Not really. I implemented my init script this way before it was enforced:
/user group
set full name=full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp skin=default

/user
:do {
add address="" disabled=no group=full name=myadmin
} on-error={};
set	myadmin address="" disabled=no group=full password=NobodyWillGuessThis
remove [find (name="myadmin" = false)]
it does not depend on what user(s) exist. It just make sure that "full" group is really full, create new "full" user and delete every single user except this one. I would say pretty failproof...

Re: Can't change username on ROS 6.43

Posted: Thu Feb 14, 2019 6:31 pm
by anav
vecernik87 BURNS macsrwe!!

But how can you get mad a a playful colourful pony! :-)

Re: Can't change username on ROS 6.43

Posted: Thu Feb 14, 2019 6:47 pm
by macsrwe
set full name=full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp skin=default

it does not depend on what user(s) exist. It just make sure that "full" group is really full, create new "full" user and delete every single user except this one. I would say pretty failproof...
Which means you have to be careful to chase every new permission that MikroTik adds to the system. As I said, more work.

Looks like I was wrong to assume that RouterOS would not let a script delete the user under which it itself is still running. Perhaps some day they'll "fix" that too, and then this will all break again.

Re: Can't change username on ROS 6.43

Posted: Fri Feb 15, 2019 2:29 am
by vecernik87
@anav: this pony can kick really hard :lol:

@mascrwe: good point! thank you. I actually haven't think this way and it might bite me in the ass later. fixed:
/user group add name=temppolicy   
:local defpolicy [:tostr [/user group get temppolicy value-name=policy]]
:local fullpolicy
:for i from=0 to=([:len $defpolicy] - 1) do={ 
  :local char [:pick $defpolicy $i]
  :if ($char = "!") do={:set char ""}
  :if ($char = ";") do={:set char ","}
  :set fullpolicy ($fullpolicy . $char)
}
/user group remove temppolicy   
/user group set full policy=$fullpolicy

Re: Can't change username on ROS 6.43

Posted: Tue Feb 19, 2019 4:06 am
by audiomation
@vecernik87 - this is brilliant. Thanks so much for posting.

However, I was going nuts because your script looked fine, but always failed with a syntax error at column 8 on the :set fullpolicy command in the loop. Couldn't figure out why it wasn't working for me.

Figured out that, for whatever reason, on RouterOS 6.43.7 on an RB4011, it will fail that way if run in verbose mode. If I don't run in verbose mode it works fine.

If anyone has an explanation that would be great. I've seen weird things happen in verbose mode that didn't happen when not in verbose mode before, but I'd forgotten about that until tonight.

Re: Can't change username on ROS 6.43

Posted: Tue Feb 19, 2019 4:19 am
by macsrwe
Figured out that, for whatever reason, on RouterOS 6.43.7 on an RB4011, it will fail that way if run in verbose mode. If I don't run in verbose mode it works fine.
If anyone has an explanation that would be great. I've seen weird things happen in verbose mode that didn't happen when not in verbose mode before, but I'd forgotten about that until tonight.
Any time you use :local outside a set of curly brackets, the results will be indeterminate depending on under what environment you execute the script.

Re: Can't change username on ROS 6.43

Posted: Tue Feb 19, 2019 5:57 am
by vecernik87
@macsrwe: gosh! I didnt know :( i wrongly assumed that any inner instance of curly brackets will inherit all variables from outside.
Thanks for pointing that out. I didn't really want to use "global" variable to avoid messing with rest of system, but I guess there is not much choice, is there?

Re: Can't change username on ROS 6.43

Posted: Tue Feb 19, 2019 7:52 am
by macsrwe
I think maybe I didn't state this entirely clearly.

If you have a :local in a script outside ALL curly brackets, its behavior is nondeterministic. For deterministic behavior, put one set of curly brackets around the entire text of the script. And yes, once you have a nicely deterministic variable, it is inherited properly inside all inner curly brackets.

Re: Can't change username on ROS 6.43

Posted: Thu Feb 21, 2019 12:15 pm
by vecernik87
I think maybe I didn't state this entirely clearly.
Ohh! now it makes way more sense! :D thanks heaps for this clarification! you really deserve cookies (or internetz or kudos or whatever currency you like)!

Re: Can't change username on ROS 6.43

Posted: Fri Mar 08, 2019 7:44 pm
by audiomation
Both vecernik87 and macsrwe deserves kudos, cookies, beers, whatever. This is an amazing community. Thanks for the help.