I'm running router os 6.49.2. on RB450Gx4.
I am able to set a user password containing special characters such as caret, question mark, and apostrophe using WebFig and WinBox.
However, I cannot make it work from the command line. For example:
/user add name=abcde password=q?9^'pcT5jZ*z group=full
yields an error.
I have tried this surrounding it with quotes but it will not work either:
/user add name=abcde password="q?9^'pcT5jZ*z" group=full
Entering q?9^'pcT5jZ*z into WebFig works just fine.
How do I make this work or is this a bug?
thanks
oldunixguy
-
-
oldunixguy
just joined
- Posts: 9
- Joined:
Re: cant set password with certain special chars from command line
Code: Select all
/user add name=abcde password="q9^'pcT5jZ*z" group=full
Re: cant set password with certain special chars from command line
Escape the question mark using a \, same like you'd have to escape a $ or a ".
Or create the user with a bogus password, and then use /user edit abcde password to set the one you really want.
(Just a joke: or upgrade to RouterOS 7 where the ? has been replaced by [F1] for invocation of the help.)
Or create the user with a bogus password, and then use /user edit abcde password to set the one you really want.
(Just a joke: or upgrade to RouterOS 7 where the ? has been replaced by [F1] for invocation of the help.)
-
-
oldunixguy
just joined
- Posts: 9
- Joined:
Re: cant set password with certain special chars from command line
So to be clear, when entering data into WinBox or WebFig fields for the password one does NOT need to escape anything?
And when one uses command line:
/user edit abcde password
or
/user add name=abcde password=q?9^'pcT5jZ*z group=full
which special characters need to be escaped? Does " and ' in addition to ? ? How about an equal sign in the password?
Does one escape a backslash \ in the password with a second backslash?
Does
/user add name=abcde password=q?9^'pcT5jZ*z group=full
need to have quotations around the entire password like this:
/user add name=abcde password="q?9^'pcT5jZ*z" group=full
Or does that just put quotes into the actual password?
I ask because I am having trouble with specials ONLY thru the command line. All those specials in this example work literally without escaping or quoting from WinBox and WebFig.
For example what if /user add name=abcde password=q\?9^'pcT5jZ*z group=full doesnt create a command entry error BUT it only stores a portion of the specified password. Then when I enter the same password at login time it too only takes a portion and passes the check even though the whole password is NOT used! In other words, how do we know we are getting the long, rich-charactered password we want?
The reason I ask this is because I have found a number of internet sites over the years that are broken in this way and they delude the user into thinking they have a long, rich password when it really recorded and later checks a subset because of bugs like this. I have also found more sites that accept long rich passwords at creation but fail to store them in their d.b. correctly (truncated on specials, etc) and will never succeed a compare at login. I have similarly seen the creation and storage is correct but entry processing at login is input truncated on specials and will never succeed.
I will try to do more testing to see if I can prove all of this works....
thanks
oldunixguy
And when one uses command line:
/user edit abcde password
or
/user add name=abcde password=q?9^'pcT5jZ*z group=full
which special characters need to be escaped? Does " and ' in addition to ? ? How about an equal sign in the password?
Does one escape a backslash \ in the password with a second backslash?
Does
/user add name=abcde password=q?9^'pcT5jZ*z group=full
need to have quotations around the entire password like this:
/user add name=abcde password="q?9^'pcT5jZ*z" group=full
Or does that just put quotes into the actual password?
I ask because I am having trouble with specials ONLY thru the command line. All those specials in this example work literally without escaping or quoting from WinBox and WebFig.
For example what if /user add name=abcde password=q\?9^'pcT5jZ*z group=full doesnt create a command entry error BUT it only stores a portion of the specified password. Then when I enter the same password at login time it too only takes a portion and passes the check even though the whole password is NOT used! In other words, how do we know we are getting the long, rich-charactered password we want?
The reason I ask this is because I have found a number of internet sites over the years that are broken in this way and they delude the user into thinking they have a long, rich password when it really recorded and later checks a subset because of bugs like this. I have also found more sites that accept long rich passwords at creation but fail to store them in their d.b. correctly (truncated on specials, etc) and will never succeed a compare at login. I have similarly seen the creation and storage is correct but entry processing at login is input truncated on specials and will never succeed.
I will try to do more testing to see if I can prove all of this works....
thanks
oldunixguy
Re: cant set password with certain special chars from command line
Just a thought ....
Special chars in passwords only stop humans. The time that MS encrypted every 7 chars as a block is long gone, so is the need for more HEX values in one position.
A very long password now is just as secure for computer augmented attacks, as the human unfriendly special char password.
In the old days I had backspace, ctrl-S, ctrl-Q, DC1,DC2, DC3, DC4, ESC, ... and other ctrl characters in my passwords.
Code page mapping for éèàïçäñ... etc helped as well.
Special chars in passwords only stop humans. The time that MS encrypted every 7 chars as a block is long gone, so is the need for more HEX values in one position.
A very long password now is just as secure for computer augmented attacks, as the human unfriendly special char password.
In the old days I had backspace, ctrl-S, ctrl-Q, DC1,DC2, DC3, DC4, ESC, ... and other ctrl characters in my passwords.
Code page mapping for éèàïçäñ... etc helped as well.
Re: cant set password with certain special chars from command line
For /user add name=abcde password=q?9^'pcT5jZ*z group=full the correct syntax only on TERMINAL is:
The only characters usable on terminal are:
[SPACE] ! " # $ % & ' ( ) * + , - . / 0...9 : ; < = > ? @ A..Z [ \ ] ^ _ ` a..z { | } ~
Some localized keyboards do not have some symbol, like the Italian keyboard do not have ` and ~
For some reaason the terminal do not accept <ALT>+code for insert that characters, like do not accept <ALT>+<Keypad 1,Keypad 2,Keypad 6> for the ~
Various methods can be used for paste/digit it directly on terminal, but unsupported characters still unsupported.
A good method is put the string everytime inside quotes, except if are obtained directly from one variable/function
All special characters must be put inside quotes, or, for one reason or another, cause errors.
Some chracters must be escaped
" if used as character, and not for contain a string, must be escaped like \"
$ if used as character, and not for start a variable or function name, must be escaped like \$
? on RouterOS 6.x Terminal must be escaped with \ like \? (stored script inside scirpt, scheduler, dhcp, ppp profiles, etc. , do not need to escape the ? )
\ the \ is the escape symbol, for use \ as character instead, escape it like \\
All the others must not be used because RouterOS terminal do not support the remaining characters and the 16 bit chars.
For set a password (with one space at start) like
Some other codes visible on exports:
\ before one [SPACE] or [TAB] or [carriage-return] or [line-feed]
mean the script continue on next non-white space (ignore all space, tab, carriage return, line-feed). Often used by "export".
\_ = [SPACE] when significant space can be misunderstanded with useless [SPACE]
\t = [TAB] when significant [TAB] can be misunderstanded with useless [TAB]
\r = [carriage-return] when significant [CR] can be misunderstanded with useless [CR]
\n = [line-feed] when significant [LF] can be misunderstanded with useless [LF]
Example
v6 and before code
/user add name="abcde" password="q\?9^'pcT5jZ*z" group="full"
From one v7 version code
/user add name="abcde" password="q?9^'pcT5jZ*z" group="full"
The only characters usable on terminal are:
[SPACE] ! " # $ % & ' ( ) * + , - . / 0...9 : ; < = > ? @ A..Z [ \ ] ^ _ ` a..z { | } ~
Some localized keyboards do not have some symbol, like the Italian keyboard do not have ` and ~
For some reaason the terminal do not accept <ALT>+code for insert that characters, like do not accept <ALT>+<Keypad 1,Keypad 2,Keypad 6> for the ~
Various methods can be used for paste/digit it directly on terminal, but unsupported characters still unsupported.
A good method is put the string everytime inside quotes, except if are obtained directly from one variable/function
All special characters must be put inside quotes, or, for one reason or another, cause errors.
Some chracters must be escaped
" if used as character, and not for contain a string, must be escaped like \"
$ if used as character, and not for start a variable or function name, must be escaped like \$
? on RouterOS 6.x Terminal must be escaped with \ like \? (stored script inside scirpt, scheduler, dhcp, ppp profiles, etc. , do not need to escape the ? )
\ the \ is the escape symbol, for use \ as character instead, escape it like \\
All the others must not be used because RouterOS terminal do not support the remaining characters and the 16 bit chars.
For set a password (with one space at start) like
Code: Select all
!"#$%&'()*+,-./09:;<=>?@AZ[\]^_`az{|}~TERMINAL ONLY code
# added backslash before quote, dollar, question mark and backslash
/user add group="full" name="usethedamnquotesforstrings" password=" !\"#\$%&'()*+,-./09:;<=>\?@AZ[\\]^_`az{|}~"
SCRIPT, SCHEDULER, PPP Profile Script, DHCP Lease Script, NETWATCH and all the others with Script section code
# added backslash before quote, dollar and backslash - NOT before question mark
/user add group="full" name="usethedamnquotesforstrings" password=" !\"#\$%&'()*+,-./09:;<=>?@AZ[\\]^_`az{|}~"
WINBOX OR WEBFIG code
# put directly the input on fileld without escapes or quotes (is present one space at start of the string)
!"#$%&'()*+,-./09:;<=>?@AZ[\]^_`az{|}~
Some other codes visible on exports:
\ before one [SPACE] or [TAB] or [carriage-return] or [line-feed]
mean the script continue on next non-white space (ignore all space, tab, carriage return, line-feed). Often used by "export".
\_ = [SPACE] when significant space can be misunderstanded with useless [SPACE]
\t = [TAB] when significant [TAB] can be misunderstanded with useless [TAB]
\r = [carriage-return] when significant [CR] can be misunderstanded with useless [CR]
\n = [line-feed] when significant [LF] can be misunderstanded with useless [LF]
Example
Code: Select all
/system script
add name=test owner=\
admin source=":put\
\_\"test tab and cr/lf \
\t\r\
\n\"\r\
\n:put \"hey\""
Re: cant set password with certain special chars from command line
Simple way, if you are not sure how something should be entered using CLI, enter it somewhere in WinBox/WebFix and export it in CLI, e.g. if I create dummy firewall rule with "q?9^'pcT5jZ*z" as comment, export will give me:
And that can be used for other commands.
Very important thing is to stay away from any characters beyond basic 7-bit ASCII, because RouterOS has zero support for character sets (negative support could be even more fitting term). It may seem to work, but it doesn't. If you enter something special, RouterOS sees it as some bytes, and it's not even consistent between different interfaces.
For example, I want comment with "ěščřžýáíé":
- When entered in WinBox, it will show correctly in WinBox, exports as "\EC\9A\E8\F8\9E\FD\E1\ED\E9" (correct for cp1250 used by my Windows), but WebFig shows it as "ìèøýáíé"
- When entered in WebFig, it will show as "a Y~ýáíé" in both WebFix and WinBox and exports as "\1Ba\rY~\FD\E1\ED\E9", which is complete mess and I'm not sure what exactly happened there
Code: Select all
/ip firewall raw
add action=accept chain=output comment="q\?9^'pcT5jZ*z"Very important thing is to stay away from any characters beyond basic 7-bit ASCII, because RouterOS has zero support for character sets (negative support could be even more fitting term). It may seem to work, but it doesn't. If you enter something special, RouterOS sees it as some bytes, and it's not even consistent between different interfaces.
For example, I want comment with "ěščřžýáíé":
- When entered in WinBox, it will show correctly in WinBox, exports as "\EC\9A\E8\F8\9E\FD\E1\ED\E9" (correct for cp1250 used by my Windows), but WebFig shows it as "ìèøýáíé"
- When entered in WebFig, it will show as "a Y~ýáíé" in both WebFix and WinBox and exports as "\1Ba\rY~\FD\E1\ED\E9", which is complete mess and I'm not sure what exactly happened there