GS1900-10HP snmp default community string unexpected behavior and broken SSH enable password prompt
danyedinak
Posts: 51 Ally Member
On the GS1900-10HP, both V2.40(AAZI.2) and V2.50(AAZI.0), there is a problem with the default screen that is presented recommending that the admin password and SNMP string be changed. On this screen, it is possible to change the admin password without changing the SNMP community string. However, if I attempt to change the SNMP community string without providing the current password (even if not changing the password), it will fail. If I provide the current password without a new password while changing the community string, it will work. Incidentally, there is no confirmation of the successfully changed community string, but, quite suddenly, just redirects to the status screen.
As an aside - the copyright on both these firmware versions also shows 1995-2017.
I'm also confused about the behavior of the enable command in a SSH session. In both firmware versions listed above, if I login as a user with admin level privileges, then disable, it will give me the limited user menu. But, when I attempt to enable again, it presents with a password prompt that will never work, no matter which password is entered. However, if I simply hit <enter> at this password prompt without typing any password, it will return to the privileged mode state. Toggling back and forth between "enabled" and "disabled" is normal in the USG series devices and, while the addition of a password prompt as sort of a sudo privilege would make sense, it doesn't work in this case, making the presentation of a password prompt completely pointless - so, why is it there at all?
As an aside - the copyright on both these firmware versions also shows 1995-2017.
I'm also confused about the behavior of the enable command in a SSH session. In both firmware versions listed above, if I login as a user with admin level privileges, then disable, it will give me the limited user menu. But, when I attempt to enable again, it presents with a password prompt that will never work, no matter which password is entered. However, if I simply hit <enter> at this password prompt without typing any password, it will return to the privileged mode state. Toggling back and forth between "enabled" and "disabled" is normal in the USG series devices and, while the addition of a password prompt as sort of a sudo privilege would make sense, it doesn't work in this case, making the presentation of a password prompt completely pointless - so, why is it there at all?
0
All Replies
-
Hi @danyedinak
Thanks for your feedback.
About changing SNMP community string, we can see the same behavior as yours.
Therefore, we will discuss with the internal about it.
For the enable command in the SSH session, there is no such issue when I login as a user with admin privilege in my local lab.
Therefore, could you provide your configuration and the screenshots of the problem that you encountered?
Thanks
Best regards,
Zyxel_Derrick0 -
I first identified these issues on my lab machine, and confirmed on a production switch. In the lab, it's an out of box configuration upgraded from 2.40(AAZI.1) to 2.40(AAZI.2)C0 to V2.40(AAZI.2) to V2.50(AAZI.0). What follows is a copy paste of the terminal commands and output. Note that the username isn't showing via the show privilege command, but, in this case, it is just admin, but the production account has a different username with the same behavior. You can see the password prompt appear immediately after the enable command is entered.
GS1900# show infoSystem Name : GS1900System Location : LocationSystem Contact : ContactMAC Address : 5C:E2:8C:6D:1B:CBIP Address : 192.168.199.2Subnet Mask : 255.255.255.0Boot Version : V2.00 | 07/17/2015Firmware Version : V2.50(AAZI.0) | 10/21/2019System Object ID : 1.3.6.1.4.1.890.1.15System Up Time : 0 days, 16 hours, 46 mins, 44 secsGS1900# disableGS1900>enable Turn on privileged mode commandexit Exit current mode and down to previous modeping Send ICMP ECHO_REQUEST to network hostsshow Show running system informationtraceroute Trace route to network hostsGS1900> show privilegeCurrent CLI Username:Current CLI Privilege: 1GS1900> enablePassword:GS1900# show privilegeCurrent CLI Username:Current CLI Privilege: 150 -
Hi @danyedinakThanks for your informationGS1900 series is a smart managed switch which does not support CLI command to configure switch.From V2.50, we have enhanced the security that only the account with admin privilege can SSH switch.Therefore, the admin privilege account can switch back and forth enable mode without password due to enable password is empty and can't be configured.
Other users with non-admin privilege will be shut down immediately if they try to use SSH to login switch.ThanksBest regards,Zyxel_Derrick0 -
Switching back and forth between admin privilege without a password is understandable, but, why prompt for a password at all? It's confusing since it doesn't even accept a valid password. No password prompt should appear when the enable command is entered.0
-
Hi @danyedinakIt is common feature for switch to go back and forth the enable mode.That's why we keep it in the GS1900 series.I apologize for making you confuse and thanks for your advice.We will put it into the IDEAs to see if other users have the same idea.ThanksBest regards,Zyxel_Derrick0
-
I think seeing if others agree is good, but I feel like the real problem isn't conveyed. It's the password prompt that is presented when entering enable and requires a null entry (and doesn't accept valid passwords) that's the entirety of the problem. There should either be no password prompt, or the prompt should accept a valid password.0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight