On Wed, 16 Oct 2002, Mike Scher wrote: > 1) The accounts (manuf and diag) are clearly present in the config and > easily seen with 'show running-conf' or 'show startup-conf' They are also documented in the Cajun guides, usually they just say 'don't touch these accounts' > 2) They are system accounts and cannot be deleted > 3) They have by default the passwords indicated by Mr. Lipkowski > 4) They CAN have their passwords changed by the 'root user' and the > changes save sucessfully across reloads. The root user can always change the passwords in any version , just download the config file, make modifications to it, and upload it back again via tftp (this was mentioned in the advisory as a workaround). [...] > While testing, we noticed that accounts with the same password show the > same saved hash, indicating that only one salt is in use. That may be a > legacy item on the P550, which is discontinued and stuck at 4.3.5 version > software. No, the salt is static in all "bigger" cajuns. This item was also mentioned during my discussion with Avaya. Actually i wouldn't be surprised if all cajuns used the same hash (which is easy to check - just compare the hashes from my advisory with the hashes on your switch). btw does anyone know what it is? it looks like the result of a unix md5 crypt, which is $1$salt$hash, but with the $1$salt part cut off. jacek
