Recovering forgotten encrypted passwords

book

Article ID: 169797

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

You have forgotten a password which is stored encrypted in the configuration (see TECH242503 for examples of which passwords are stored in this manner).

Resolution

Note: This process requires the enable password, and can not be used to recover the enable password. For recovering or changing the enable password see TECH241810. This process also means that any administrator with enable / read-write access is able to recover the plaintext of all passwords stored on the proxy. If this is not desirable, consider using read-only privileges for administrators.

Passwords which are stored encrypted have been encrypted using the "configuration-passwords-key" keyring. To decrypt and recover these passwords, we will need to export the private key of this keyring.

First save both the encrypted password text, and the private key to text files (encrypted_password and private.key respectively for our example). We can view the private key from the command line:



Now that we have saved both the encrypted password and the private key, we can decrypt the password. To do this we will need openssl installed, and a base64 decoder.

Start by base64 decoding the encrypted password, and saving this to a new file:



Then decrypt this base64 decoded version of the encrypted password using openssl:



Finally, view the decrypted output in a text file:



The decrypted password (abc123 in this case) will be near the start of the file in plaintext.

Attachments