Community discussions

MikroTik App
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

What are missing in /export and why. Bug?

Sat Oct 01, 2022 9:39 am

I do see that RouterOS does not export system users. (tested on 6.49.9 7.5 7.6beta10)

As you see here, no users show in /export
/export
# oct/01/2022 06:32:54 by RouterOS 7.6beta10
# software id = 
#
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/ip dhcp-client
add interface=ether1
/system identity
set name=M-7.6b10
But /user/export do show the users
/user/export
# oct/01/2022 06:34:05 by RouterOS 7.6beta10
# software id = 
#
/user
add comment="system default user" group=full name=admin
add group=full name=demo
add group=read name=user
Why does not /export show the users and what other stuff are missing in an export?

I would also like to see the user password in /export show-sensitive
Not to important, but that is what show-sensitive are made for?
 
millenium7
Long time Member
Long time Member
Posts: 538
Joined: Wed Mar 16, 2016 6:12 am

Re: What are missing in /export and why. Bug?

Sat Oct 01, 2022 9:45 am

Yeah its a crap design decision/issue/bug/feature from MikroTik. I would REALLY REALLY REALLY REALLY like for all user accounts including MD5/SHA hashes of passwords to be included in /export
It's way too easy to replace a faulty router, load the backup config and 'forget' to change the user details, potentially exposing a router with admin/*blank*
It's also impossible to audit passwords. If user accounts AND hashes were included then known hashes for old/insecure passwords (i.e. core staff leaving and certain routers needing local passwords changed) could be automatically checked and a notification raised if it wasn't changed
I can go ahead and put a mass password change, but I can't audit it and actually verify it happened

I really hope this is 'fixed' and hashes get included with config at some point
Other things that aren't included (such as certificate files) I feel probably shouldn't be included in a config, but again a hash would be nice so that if restoring a config, it can be verified after applying to see what was missed. The certificate itself doesn't need to be in the config, but if it was a hash (calculated every time /export is run) it would verify if said certificate actually exists on the device
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: What are missing in /export and why. Bug?

Sat Oct 01, 2022 9:54 am

Other problem with this behavior, how can user know what are exported and what are not.
I tried to find it out, but not mention anywhere.
https://wiki.mikrotik.com/wiki/Manual:C ... Management
 
holvoetn
Forum Guru
Forum Guru
Posts: 5405
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: What are missing in /export and why. Bug?

Sat Oct 01, 2022 10:10 am

Let's stick to the point where we agree it is "Work In Progress" :D

Also noticed on ROS7 some things do become available when using show-sensitive (where they should be shown regardless) but other things never show.
And yes, users is one of them.

Who is online

Users browsing this forum: Amazon [Bot], gigabyte091, Google [Bot] and 44 guests