Solved: admin@anb-sf01:~$ sudo su -

Earl Kacin · ‎03-30-2017

My employers sourcefire appliance is no longer under maintenance and it wont be ever again. The device is still in production and will be for several months. I cannot authenticate using the web gui but i can ssh to it. How to i create a user id from console or make the admin account function thru the web interface? I cant find a good command set online or get support due to the unrenewed support.

Marvin Rhoads · ‎03-31-2017

You're welcome.

Please mark your question as answered. Doing so encourages participation and helps others searching for answers.

View solution in original post

Claudiu Cismaru · ‎03-30-2017

The admin account should work, by default, in UI. Unless the password was changed in the UI, but in the shell is still the one which you can access.

Provide me with the output of:

ls /usr/local/sf/bin/*.pl

Earl Kacin · ‎03-30-2017

/usr/local/sf/bin/ActionQueueScrape.pl
/usr/local/sf/bin/CreateDEConfigFiles.pl
/usr/local/sf/bin/DBCheck.pl
/usr/local/sf/bin/DeleteDEConfigFiles.pl
/usr/local/sf/bin/FS_Check.pl
/usr/local/sf/bin/OptimizeTables.pl
/usr/local/sf/bin/ProxyConsumer.pl
/usr/local/sf/bin/Pruner.pl
/usr/local/sf/bin/Syncd.pl
/usr/local/sf/bin/TSS_Daemon.pl
/usr/local/sf/bin/add_manager.pl
/usr/local/sf/bin/alter_merge.pl
/usr/local/sf/bin/cache_tool.pl
/usr/local/sf/bin/change_partition_interval.pl
/usr/local/sf/bin/check_for_lb_nat.pl
/usr/local/sf/bin/check_merge.pl
/usr/local/sf/bin/check_sfd_shutdown.pl
/usr/local/sf/bin/check_uuid.pl
/usr/local/sf/bin/choose-snort.pl
/usr/local/sf/bin/clear_opsec_module_rules.pl
/usr/local/sf/bin/create_default_de.pl
/usr/local/sf/bin/de_info.pl
/usr/local/sf/bin/diagnose_and_repair_users.pl
/usr/local/sf/bin/exec_perl.pl
/usr/local/sf/bin/failopen_pair.pl
/usr/local/sf/bin/fpcollect.pl
/usr/local/sf/bin/gethardware.pl
/usr/local/sf/bin/gethostipbyname.pl
/usr/local/sf/bin/hw-detect.pl
/usr/local/sf/bin/ids_event_db_info.pl
/usr/local/sf/bin/install_rule.pl
/usr/local/sf/bin/install_seu.pl
/usr/local/sf/bin/install_update.pl
/usr/local/sf/bin/ips_policy_apply.pl
/usr/local/sf/bin/ips_profile.pl
/usr/local/sf/bin/is_space_available.pl
/usr/local/sf/bin/load_inline_category.pl
/usr/local/sf/bin/manage_estreamer.pl
/usr/local/sf/bin/manage_procs.pl
/usr/local/sf/bin/manage_pruning.pl
/usr/local/sf/bin/merge_stats.pl
/usr/local/sf/bin/ntpd.pl
/usr/local/sf/bin/package_info.pl
/usr/local/sf/bin/purge_data.pl
/usr/local/sf/bin/register_appliance.pl
/usr/local/sf/bin/remove_managers.pl
/usr/local/sf/bin/remove_peer.pl
/usr/local/sf/bin/repair_table.pl
/usr/local/sf/bin/repair_users.pl
/usr/local/sf/bin/restore_events.pl
/usr/local/sf/bin/rotate_stats.pl
/usr/local/sf/bin/run_hm.pl
/usr/local/sf/bin/run_query.pl
/usr/local/sf/bin/run_task.pl
/usr/local/sf/bin/schedule_wrapper.pl
/usr/local/sf/bin/set_external.pl
/usr/local/sf/bin/sf-backup-inator.pl
/usr/local/sf/bin/sf-backup.pl
/usr/local/sf/bin/sf-restore-backup.pl
/usr/local/sf/bin/sf-rsd-mount.pl
/usr/local/sf/bin/sf-rsd-umount.pl
/usr/local/sf/bin/sf-rsd-upload-backup.pl
/usr/local/sf/bin/sf_crontab_edit.pl
/usr/local/sf/bin/sf_troubleshoot.pl
/usr/local/sf/bin/sfcli.pl
/usr/local/sf/bin/sfd_stats.pl
/usr/local/sf/bin/sftunnel_status.pl
/usr/local/sf/bin/sort_upgrades.pl
/usr/local/sf/bin/system-settings.pl
/usr/local/sf/bin/transaction_tool.pl
/usr/local/sf/bin/uimp.pl
/usr/local/sf/bin/update_snort_memory.pl
/usr/local/sf/bin/usertool.pl
/usr/local/sf/bin/vjdbc.pl
/usr/local/sf/bin/write_ntpd_conf.pl

Claudiu Cismaru · ‎03-31-2017

Try with:

/usr/local/sf/bin/usertool.pl -p "admin Your_New_Password"

Replace Your_New_Password with your desired password. You can use the script to add new users, as well.

Earl Kacin · ‎03-31-2017

tried to make new user. i got this.

admin@anb-sf01:~$ /usr/local/sf/bin/usertool.pl -p anbank ******
-bash: /usr/local/sf/bin/usertool.pl: Permission denied

I didnt try to edit the current admin because i dont want to lock myself out. But i am authenticated as admin in ssh console. Why would i get denied permission if i am admin in ssh ?

Claudiu Cismaru · ‎03-31-2017

Because is Linux and it has nothing to do with the admin permissions, but with Linux handling of permissions.

Just issue: sudo su - (don't omit the hyphen), type the admin password adgain and then reissue the usertool command again.

Also, on -p use the double quotes, like: -p "user password"

Earl Kacin · ‎03-31-2017

admin@anb-sf01:~$ sudo su - admin &22m8a#9s8Je
[1] 30031
-bash: 22m8a#9s8Je: command not found
admin@anb-sf01:~$ sudo su -admin &22m8a#9s8Je
[2] 30045
-bash: 22m8a#9s8Je: command not found

[1]+ Stopped sudo su - admin
admin@anb-sf01:~$ sudo su -admin &22m8a#9s8Je
[3] 30053
-bash: 22m8a#9s8Je: command not found

[2]+ Stopped sudo su -admin
admin@anb-sf01:~$ /usr/local/sf/bin/usertool.pl -p "anbank #######"
-bash: /usr/local/sf/bin/usertool.pl: Permission denied

[3]+ Stopped sudo su -admin
admin@anb-sf01:~$ /usr/local/sf/bin/usertool.pl -p "anbank #######"
-bash: /usr/local/sf/bin/usertool.pl: Permission denied
admin@anb-sf01:~$

tried this too

admin@anb-sf01:~$ sudo su - admin
Password:
admin@anb-sf01:~$ /usr/local/sf/bin/usertool.pl -p "anbank #######"
-su: /usr/local/sf/bin/usertool.pl: Permission denied

Marvin Rhoads · ‎03-31-2017

Try this:

sudo su
usertool.pl -p "anbank #######"

The first command will change you to root user (not admin which does not have root privilege). Then you shold be able to run commands requiring root privilege.

Earl Kacin · ‎03-31-2017

admin@anb-sf01:~$ sudo su
Password:
root@anb-sf01:/var/home/admin# /usr/local/sf/bin/usertool.pl -p "anbank ######"
Could not load user anbank $VAR1 = bless( {
'-file' => '/usr/local/sf/lib/perl/5.10.1/SF/EOHandler.pm',
'-text' => 'loadObject: No UUID Provided - /usr/local/sf/lib/perl/5.10.1/SF/Permission.pm in sub SF::Permission::__ANON__ at line 537',
'-line' => 757,
'-package' => 'SF::EOHandler'
}, 'Error::Simple' );
No user specified. at /usr/local/sf/lib/perl/5.10.1/SF/UserPreferences.pm line 40.
No user named anbank at /usr/local/sf/lib/perl/5.10.1/SF/Auth.pm line 1998.

Marvin Rhoads · ‎03-31-2017

You're almost there. User anbank does not currently exist. That's why the tool isn't letting you change the password.

You need to reset the password for user admin. Once you do that, you should be able to use the admin username and new password to access the Web UI.

Also, I believe it should be single quotes. See the following technote that applies in your case:

http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118631-technote-firesight-00.html#anc4

It states the following:

Admin User for Web Interface Access

In order to reset the password of an admin user that is used to access the web interface, complete these steps:

Log in to the CLI of your appliance with Secure Shell (SSH).
Enter this command in order to reset the password:
Caution: Note the use of single quotes. The use of double quote does not allow the password to be set properly.
```
admin@FireSIGHT:~$ sudo usertool.pl -p 'admin <password>'
```
Note: Replace <password> with the desired password.

For example, if you want to change the password of the admin user from Sourcefire (old password) to Firepower (new password), then enter the command as shown here:
```
admin@FireSIGHT:~$ sudo usertool.pl -p 'admin Firepower'
```

Earl Kacin · ‎03-31-2017

Thank you both so much !!! i am in. You guys rock.

Marvin Rhoads · ‎03-31-2017

You're welcome.

Please mark your question as answered. Doing so encourages participation and helps others searching for answers.

Sourcefire Linux OS v4.10.0 (build 773) Sourcefire 3D Sensor 1000 v4.10.3.8 (build 8)

Admin User for Web Interface Access