Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Update Local Admin Password with Custom Script

  1. Last updated
  2. Save as PDF

Organizational password strength and rotation requirements for local GUI accounts can be met by running a custom script on a Skyhigh Security Secure Web Gateway (SWG). Password vaulting tools can further automate the process when used with the script. The script can run on SWG by running a Python script on any cluster member or standalone appliance. This custom script approach works on supported SWG versions 13.x and earlier.

NOTE: Skyhigh does not provide a supported script; however, a functional script can be created using fully supported SWG functions and standard Linux commands. Python is the recommended scripting language, as a native Python interpreter with the required libraries (os, base64, hashlib, xml.etree.ElementTree) is available on SWG.

Steps to Update Local Account Password
  1. Generate the new password hash using PBKDF2-HMAC-SHA256
    • Generate a 16-byte salt. salt = os.urandom(16)
    • Derive the key. dk = hashlib.pbkdf2_hmac('sha256', new_password.encode(), salt, 1000, 512)
    • Encode the salt and derived key in Base64.
      • salt_b64 = base64.b64encode(salt).decode('utf-8')
      • dk_b64 = base64.b64encode(dk).decode('utf-8')
    • Format the final hash string. SHA-256:1000:<salt_b64>:<dk_b64>
  2. Run theservice mwg-ui stop command to stop the UI service.
  3. Run the  cat /opt/mwg/storage/active_configuration command to retrieve the path to the active configuration. 
  4. Run the  /opt/mwg/bin/mwg-coordinator -F "file:in=`cat /opt/mwg/storage/active_configuration`"command to create a new running configuration by using the active configuration path.
  5. Append /internal/administration.xml to the path from step 3 to create the full XML file path.
  6. Update the XML file found in the path created in step 5:
    1. Create a backup of the file (administration.xml.bak).
    2. Parse the XML of the original file. 
    3. Locate the user account you want to update.
    4. Locate the passwordHash element for that account.
    5. Replace the existing value with the new hash string generated in step 1.
    6. Save the XML file with UTF-8 encoding (administration.xml).
  7. Apply the correct ownership to the modified file (administration.xml).
    chown -R mwgc.mwg <path-to-backup-file>
  8. Run the /opt/mwg/bin/mwg-coordinator -F "file:in='<path to updated config>'" command to the coordinator to apply the full updated configuration (path from step 3).
  9. Run the  service mwg-ui start command to start the UI service.
  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    This page has no tags.