Solved: Re: FTD Root access password ?

ida71 · ‎08-15-2020

I have used Admin password to login to CLI on FTD's since they were built & can access expert mode. But just tried to run an upgrade readyness check at CLi & it says I don't have privilege so tried sudo to root & none of the passwords I have configured work, including the default one.

I changed the admin account password when the box was built, but never added a separate root password, as I don't recall it being in the build docs.

Any ideas ?

Francesco Molino · ‎08-15-2020

Hi

You can run your commands using sudo at the beginning or from the expert mode entering the privileged mode by typing sudo su. The password is the same as your admin password.
I use this very often and never got an issue where my admin password wasn't taken.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎08-15-2020

Hi

You can run your commands using sudo at the beginning or from the expert mode entering the privileged mode by typing sudo su. The password is the same as your admin password.
I use this very often and never got an issue where my admin password wasn't taken.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

ida71 · ‎08-17-2020

Thanks Francisco,

Every other Unix/Linux system I have used in the past either just "su -" or "sudo" got you access, but as per your advice above "sudo su" is required from expert mode & I now have access. Many thanks.

Francesco Molino · ‎08-17-2020

So just to be sure, did you manage getting it working?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

ida71 · ‎08-18-2020

Yes, now working but requires specific "sudo su" rather than the "su -" I'm more accustomed to.

I assumed it was not working because typing just "sudo" or "su -" both returned the password prompt, but would NOT accept the admin password !

Many thanks.

Chris.

Francesco Molino · ‎08-18-2020

Can you try to change your admin password and retry?
If it is not working, create a new admin user and test it please.

It's not recommended but the last chance, if all above aren't working, is to connect on your FTD in expert mode, then make sure you are connected using admin (command whoami) and finally type passwd to change the password.
Normally by changing the admin password using the official way through UI or CLI (not expert), it should work or at least with a new admin account as well.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

ida71 · ‎08-19-2020

Hi Francesco,

I think you misunderstood my last reply, it is now WORKING :)

Thanks

Chris

Francesco Molino · ‎08-19-2020

Ok sorry😂

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Vanjulen1 · ‎01-27-2021

Hi i have the same problem , but in my fp1010 i have not allowed use the command sudo or su , i am trying to type sudo pmon stop and it is failing , if i type without sudo the command runs but asking for a password if i type the admin password show the mesages :Password:
Sorry, user admin is not allowed to execute '/usr/bin/pkill -SIGUSR1 pmon' as root

pls need help , thanks in advance.

ida71 · ‎01-28-2021

Hi Vanjulen1,

I think your issue is the same as mine, i.e. previous experience with Unix/Linux. Ignore what you know, the FTD platform is NOT the same, its close, but different.

Do NOT use sudo or su - to initiate Root commands, they won't work. You need to change context first then issue your root commands.

So login as admin via SSH to CLi, then issue sudo su followed by the admin user password to change context to Root user.

This worked for me, now issue your required commands without the "sudo" precursor, so your command "sudo pmon stop" becomes "pmon stop" because you are now issuing it as the root user.

I hope that works for you.

Regards

Vanjulen1 · ‎01-28-2021

Hi Ida71 when i try to type sudo su always show error " invalid command" , i am using a console , because the DME is crashed am i need restart the pmon service , but i have no idea how to login or use the sentence like a root user.

thanks fo all.

Marvin Rhoads · ‎01-28-2021

@Vanjulen1 you are trying to run the command from FXOS. That's different than running it from FTD. The "sudo" instructions are specific to FTD as it has Linux underlying in expert mode. FXOS should not require sudo.

I don't have a 1010 handy but here is the example on a Firepower 1120 running FTD 6.7:

fp1120-v-1(local-mgmt)# show pmon state

SERVICE NAME             STATE     RETRY(MAX)    EXITCODE    SIGNAL    CORE
------------             -----     ----------    --------    ------    ----
svc_sam_dme            running           0(4)           0         0      no 
svc_sam_dcosAG         running           0(4)           0         0      no 
svc_sam_portAG         running           0(4)           0         0      no 
svc_sam_statsAG        running           0(4)           0         0      no 
httpd.sh               running           0(4)           0         0      no 
svc_sam_sessionmgrAG   running           0(4)           0         0      no 
sam_core_mon           running           0(4)           0         0      no 
svc_sam_svcmonAG       running           0(4)           0         0      no 
svc_sam_serviceOrchAG   running           0(4)           0         0      no 
svc_sam_appAG          running           0(4)           0         0      no 
svc_sam_envAG          running           0(4)           0         0      no 
fp1120-v-1(local-mgmt)# 
fp1120-v-1(local-mgmt)# 
fp1120-v-1(local-mgmt)# 
fp1120-v-1(local-mgmt)# pmon 
  start  Start operation 
  stop   Stop operation 

fp1120-v-1(local-mgmt)# pmon stop
fp1120-v-1(local-mgmt)# show pmon state

SERVICE NAME             STATE     RETRY(MAX)    EXITCODE    SIGNAL    CORE
------------             -----     ----------    --------    ------    ----
svc_sam_dme         terminated           0(4)           0         0      no 
svc_sam_dcosAG      terminated           0(4)           0         0      no 
svc_sam_portAG      terminated           0(4)           0         0      no 
svc_sam_statsAG     terminated           0(4)           0         0      no 
httpd.sh                killed           0(4)           0         0      no 
svc_sam_sessionmgrAGterminated           0(4)           0         0      no 
sam_core_mon        terminated           0(4)           0         0      no 
svc_sam_svcmonAG    terminated           0(4)           0         0      no 
svc_sam_serviceOrchAGterminated           0(4)           0         0      no 
svc_sam_appAG       terminated           0(4)           0         0      no 
svc_sam_envAG       terminated           0(4)           0         0      no 
fp1120-v-1(local-mgmt)# 
fp1120-v-1(local-mgmt)# 
fp1120-v-1(local-mgmt)# pmon start
fp1120-v-1(local-mgmt)# 
fp1120-v-1(local-mgmt)# 
fp1120-v-1(local-mgmt)# show pmon state

SERVICE NAME             STATE     RETRY(MAX)    EXITCODE    SIGNAL    CORE
------------             -----     ----------    --------    ------    ----
svc_sam_dme            running           0(4)           0         0      no 
svc_sam_dcosAG         running           0(4)           0         0      no 
svc_sam_portAG         running           0(4)           0         0      no 
svc_sam_statsAG        running           0(4)           0         0      no 
httpd.sh               running           0(4)           0         0      no 
svc_sam_sessionmgrAG   running           0(4)           0         0      no 
sam_core_mon           running           0(4)           0         0      no 
svc_sam_svcmonAG       running           0(4)           0         0      no 
svc_sam_serviceOrchAG   running           0(4)           0         0      no 
svc_sam_appAG          running           0(4)           0         0      no 
svc_sam_envAG          running           0(4)           0         0      no 
fp1120-v-1(local-mgmt)#

If you are unable to run the commands as I demonstrated, perhaps opening a TAC case would be useful. Even if you could run them, you should not be having to run those commands normally.

Vanjulen1 · ‎01-28-2021

Hi Marvin thanks for you reply , i have a cisco tac , and the last workaround is , i have to stop the pmon service , but if i use the command show pmon state , dont do nothing , it doent show any result only return the prompt , and when i try to stop the service , asking me for a password and i use the admin password , and after that , show the errorSorry, user admin is not allowed to execute '/usr/bin/pkill -SIGUSR1 pmon' as root on

I need some help , thanks in advance.

Marvin Rhoads · ‎01-28-2021

If you are working with TAC, it would be most effective to continue doing so. If the current engineer is unable to assist then request escalation to a more senior engineer or lead.

You didn't mention what version of software you are running.

Marvin Rhoads · ‎08-16-2020

My experience matches @Francesco Molino .

When you say you changed the admin password do you mean the standard prompt to do so during initial setup or did you use some other method?