Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Built-in admin password change failure

SonicAdmin80SonicAdmin80 Cybersecurity Overlord ✭✭✭

So something very annoying happened. I was changing the password for the built-in administrator account. It accepted the change but now neither the old or the new password work. Looks like dashes in the password are not allowed but the appliance doesn't warn about this. So I'm locked out of the built-in account.

I have another user account that is part of the "Sonicwall administrators" group and I can access the appliance through SSH with this account. Is there any way to reset the built-in admin password through this account either through SSH or the local ESXi console? The command "admin password" requires the old password but neither one works. I guess the new password is mangled because of the dashes in the password, but no idea what it could be now.

If it's not possible I have the tedious work of factory reset and re-configuration to be done in the future. Luckily I have a a conf backup from last night but there are lots of changes made since then. From the CLI I can perhaps output the recent changes from this other account.

Category: Virtual Firewall
Reply

Answers

  • SonicAdmin80SonicAdmin80 Cybersecurity Overlord ✭✭✭

    Ok I got in through the web UI and can at least export the configuration. But is there any way to fix the built-in admin account without factory reset?

  • SonicAdmin80SonicAdmin80 Cybersecurity Overlord ✭✭✭

    I think I remember this happening previously with SSL-VPN where after changing the password in Mobile Connect the new password wasn't accepted. The appliance probably mangles or normalizes the dashes/hyphens somehow to a format that isn't recognized from the input afterwards.

    I tried the password with hyphens, dashes, underscores, forward slashes and whatever the third dash-like character is called that is on the standard keyboard layout. None worked but I wonder if it would work if I knew what the appliance thinks the character is or how it normalizes it during input and hashing.

    SonicOS really should validate the input better and not allow this. I just generated a new password from password manager without thinking any further and SonicOS didn't give any error about invalid input.

  • Hi @SONICADMIN80,

    I can see that this behavior of the NSv is bit weird. I'll have this verified and get back to you.

    Please standby.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • SonicAdmin80SonicAdmin80 Cybersecurity Overlord ✭✭✭

    I think the same can happen with a physical appliance, at least with SSL-VPN users when they change their password in Mobile Connect. Hyphens/dashes at least seem to be the issue, not sure if other special characters cause the issue.

    I would appreciate it if there's a workaround to avoid factory reset, perhaps inputting a different character or some sort of unicode or html string.

    I tried changing the password throught the CLI in both "user local" and "admin password" sections but I guess "user local" can't be used to reset the primary admin account and the other command requires the old password.

  • geevogeevo Newbie ✭

    Any help from sonic yet?? Any resolutions? It just happened to me. I updated my password, and now I'm SOL!@! Please help??

  • SonicAdmin80SonicAdmin80 Cybersecurity Overlord ✭✭✭

    In the end I had to factory reset and import the configuration back. Luckily I had a secondary admin account that enabled me to export the latest configuration. If you don't have that I guess you are out of luck unless support has some trick to try,

  • geevogeevo Newbie ✭

    SonicAdmin80 thank you! Lucky you had a back up.

    So how did you know it was the dashes? I do happen to have a dash in the new password. so it kinda makes sense but i talk to a sonic engineer who said not aware of forbidden characters in password for sonicwall firewall.

  • SonicAdmin80SonicAdmin80 Cybersecurity Overlord ✭✭✭

    @geevo It's just my hunch that the dashes are the reason, as I think they were the only special character in the password. I've also seen a similar problem with SSL-VPN where the password change isn't successful and if I remember it correctly that was also caused by a dash.

  • SonicAdmin80SonicAdmin80 Cybersecurity Overlord ✭✭✭

    @geevo I just tested this through SSL-VPN and indeed, if I set the user to require a password change and the new password contains a dash I get the error:

    "Password change rejected by server. Your new password may have failed password complexity requirement policies."

    The password meets the requirements but adding a dash seems to confuse it to not accept it. I tested with both Mobile Connect on macOS and NetExtender on Windows. I suspect this same problem affects the primary admin account but the new password isn't rejected like with SSL-VPN and the password is stored in some corrupted form.

Sign In or Register to comment.