Starting at Opengear firmware version 4.10.0 for IM, CM and ACM, devices will support use of SHA-512 hashing in the password crypt which provides stronger security than MD5 hashes used on previous versions.
However, this feature breaks backwards compatibility.
Opting In
To help alleviate backward compatibility issues, when upgrading from a previous version, if the configuration is not erased then the device will continue to use MD5 password hashes until an administrator "Opts in" via the Users & Groups page in the Web UI. After enabling SHA-512, new passwords will be hashed using SHA-512.
It is strongly recommended that a configuration backup be stored before opting into SHA-512 password hashing.
If the configuration is erased, or when receiving a new device, SHA-512 password hashes will be used.
Installing Older Firmware Versions
Risk of lock-out occurs if the root account is using a SHA-512 hash and a previous version of software is installed without restoring or erasing the configuration. In this case the previous version will not support the SHA-512 hashes and the root account will become unusable. If this occurs, a recovery procedure will need to be initiated which requires physical access to the device. If a previous version of firmware is required, it is essential that a non-SHA-512 backup is restored prior to downgrading so that MD5 password hashes are restored.
Alternatively, the 'E' option should be used when installing the older firmware. The 'E' option will cause the configuration to be erased on the first boot of the older version ensuring that the SHA-512 password has is removed. The "i" option is also required to skip the version number check when installing older firmware so the full options will be "-iE".
In addition, the "Preserve password across configuration erase" feature creates the risk that the root account will become unusable on older firmware. That feature must be disabled as well as restoring from backup or erasing configuration when a previous version is being installed.
Compatibility with ZTP
With default options, it is safe to install older firmware on a device using ZTP. When using ZTP to configure the console server, the device will first install firmware if that DHCP option is set. During this step the configuration is erased which will remove any SHA-512 hashes from the password file. Then if the configuration DHCP option is set, the device will apply the configuration provided. The following scenarios could cause problems due to SHA-512 hashing though:
- The configuration file provided via the DHCP option must not have passwords set using SHA-512 hashes if the configuration is to be applied to older versions of software that do not support it.
- If a "nf" firmware option override is in use on the firmware download URL, it must include the "E" option so that the configuration is erased. The "i" option will also be needed to skip the version check for installing older firmware. If the nf override is not specified then default options will be applied which include "E" and "i" already.
Comments
0 comments
Please sign in to leave a comment.