SD-WAN

I have a conductor that is working fine. Its "admin" and "t128" user passwords were changed to non-default high-quality passwords during the build, as you would expect.

I noticed that after onboarding several SSRs with the conductor successfully, their admin and t128 users remain in place and the passwords have not been changed to match the non-default high-quality passwords I set during the conductor build.

Process:
1) Build conductor in AWS, currently 5.5.4 (the latest when I built from AWS Marketplace)
2) Change "admin" and "t128" user passwords during build
3) Configure an SSR and grab its quickstart
4) Onboard it using OTP + quickstart method
5) The SSR joins, but if I go to its console via remote terminal, the passwords remain unchanged from the well-known default.

Concerns/Questions:
1) These SSRs will be deployed to customer sites; even if you can't SSH to them (which I haven't tested exhaustively), a malicious user could get on the console via the serial console port
2) If I want to change these passwords, the only way I currently know is to drop to the remote terminal, then su t128, sudo su, and passwd, which is not a scalable solution. Is there a better way?

Thanks!

------------------------------
Chris Tomkins
------------------------------

Have the same concerns and would be interested in a scalable solution.

------------------------------
ANDREAS MOUSSAUD
------------------------------

Original Message:
Sent: 10-26-2022 05:10
From: Chris Tomkins
Subject: "admin" and "t128" users remain with default passwords after onboarding to conductor - thoughts?

I have a conductor that is working fine. Its "admin" and "t128" user passwords were changed to non-default high-quality passwords during the build, as you would expect.

I noticed that after onboarding several SSRs with the conductor successfully, their admin and t128 users remain in place and the passwords have not been changed to match the non-default high-quality passwords I set during the conductor build.

Process:
1) Build conductor in AWS, currently 5.5.4 (the latest when I built from AWS Marketplace)
2) Change "admin" and "t128" user passwords during build
3) Configure an SSR and grab its quickstart
4) Onboard it using OTP + quickstart method
5) The SSR joins, but if I go to its console via remote terminal, the passwords remain unchanged from the well-known default.

Concerns/Questions:
1) These SSRs will be deployed to customer sites; even if you can't SSH to them (which I haven't tested exhaustively), a malicious user could get on the console via the serial console port
2) If I want to change these passwords, the only way I currently know is to drop to the remote terminal, then su t128, sudo su, and passwd, which is not a scalable solution. Is there a better way?

Thanks!

------------------------------
Chris Tomkins
------------------------------

Hi @Chris Tomkins and @ANDREAS MOUSSAUD,

Thank you so much for your feedback! You are correct that each SSR and Conductor does manage their usernames and passwords locally. However, I do have 2 options for you​ that could potentially help with your concern.

The first is to use Salt-States which you can find here: https://github.com/128technology/salt-states 
With the setup-linux-user-passwords.sls you can have 1 master repo of usernames and passwords that gets pushed down to every device in your Authority. 

The second option would be to have your SSRs talk to an LDAP Server. You can find some info on that here: https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_ldap/ 

I hope these help. Let me know if you have any further questions.

Thank you,
Justin

------------------------------
Justin Melloni
------------------------------

Original Message:
Sent: 11-03-2022 08:38
From: ANDREAS MOUSSAUD
Subject: "admin" and "t128" users remain with default passwords after onboarding to conductor - thoughts?

Have the same concerns and would be interested in a scalable solution.

------------------------------
ANDREAS MOUSSAUD

Original Message:
Sent: 10-26-2022 05:10
From: Chris Tomkins
Subject: "admin" and "t128" users remain with default passwords after onboarding to conductor - thoughts?

I have a conductor that is working fine. Its "admin" and "t128" user passwords were changed to non-default high-quality passwords during the build, as you would expect.

I noticed that after onboarding several SSRs with the conductor successfully, their admin and t128 users remain in place and the passwords have not been changed to match the non-default high-quality passwords I set during the conductor build.

Process:
1) Build conductor in AWS, currently 5.5.4 (the latest when I built from AWS Marketplace)
2) Change "admin" and "t128" user passwords during build
3) Configure an SSR and grab its quickstart
4) Onboard it using OTP + quickstart method
5) The SSR joins, but if I go to its console via remote terminal, the passwords remain unchanged from the well-known default.

Concerns/Questions:
1) These SSRs will be deployed to customer sites; even if you can't SSH to them (which I haven't tested exhaustively), a malicious user could get on the console via the serial console port
2) If I want to change these passwords, the only way I currently know is to drop to the remote terminal, then su t128, sudo su, and passwd, which is not a scalable solution. Is there a better way?

Thanks!

------------------------------
Chris Tomkins
------------------------------

Hi @Justin
Thanks for the answer.
Salt-states seems to be a very useful module for large-scale deployment. However, I don't see the point of using it since it's fairly more complicated to use than the GUI template feature - on the GUI there is a syntax validator, and there is no need of calling function names or creating files manually.

I hope the feature will be implemented in the GUI in the future.

Regarding LDAP, I thought the feature only applied to the Conductor? Does it mean that only the LDAP accounts will be created on new routers when LDAP is globally configured?

​

------------------------------
ANDREAS MOUSSAUD
------------------------------

Original Message:
Sent: 11-03-2022 13:02
From: Justin Melloni
Subject: "admin" and "t128" users remain with default passwords after onboarding to conductor - thoughts?

Hi @Chris Tomkins and @ANDREAS MOUSSAUD,

Thank you so much for your feedback! You are correct that each SSR and Conductor does manage their usernames and passwords locally. However, I do have 2 options for you​ that could potentially help with your concern.

The first is to use Salt-States which you can find here: https://github.com/128technology/salt-states 
With the setup-linux-user-passwords.sls you can have 1 master repo of usernames and passwords that gets pushed down to every device in your Authority. 

The second option would be to have your SSRs talk to an LDAP Server. You can find some info on that here: https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_ldap/ 

I hope these help. Let me know if you have any further questions.

Thank you,
Justin

------------------------------
Justin Melloni

Original Message:
Sent: 11-03-2022 08:38
From: ANDREAS MOUSSAUD
Subject: "admin" and "t128" users remain with default passwords after onboarding to conductor - thoughts?

Have the same concerns and would be interested in a scalable solution.

------------------------------
ANDREAS MOUSSAUD

Original Message:
Sent: 10-26-2022 05:10
From: Chris Tomkins
Subject: "admin" and "t128" users remain with default passwords after onboarding to conductor - thoughts?

I have a conductor that is working fine. Its "admin" and "t128" user passwords were changed to non-default high-quality passwords during the build, as you would expect.

I noticed that after onboarding several SSRs with the conductor successfully, their admin and t128 users remain in place and the passwords have not been changed to match the non-default high-quality passwords I set during the conductor build.

Process:
1) Build conductor in AWS, currently 5.5.4 (the latest when I built from AWS Marketplace)
2) Change "admin" and "t128" user passwords during build
3) Configure an SSR and grab its quickstart
4) Onboard it using OTP + quickstart method
5) The SSR joins, but if I go to its console via remote terminal, the passwords remain unchanged from the well-known default.

Concerns/Questions:
1) These SSRs will be deployed to customer sites; even if you can't SSH to them (which I haven't tested exhaustively), a malicious user could get on the console via the serial console port
2) If I want to change these passwords, the only way I currently know is to drop to the remote terminal, then su t128, sudo su, and passwd, which is not a scalable solution. Is there a better way?

Thanks!

------------------------------
Chris Tomkins
------------------------------