GS1900-10HP snmp default community string unexpected behavior and broken SSH enable password prompt

danyedinakdanyedinak Member Posts: 25  Freshman Member
On the GS1900-10HP, both V2.40(AAZI.2) and V2.50(AAZI.0), there is a problem with the default screen that is presented recommending that the admin password and SNMP string be changed. On this screen, it is possible to change the admin password without changing the SNMP community string. However, if I attempt to change the SNMP community string without providing the current password (even if not changing the password), it will fail. If I provide the current password without a new password while changing the community string, it will work. Incidentally, there is no confirmation of the successfully changed community string, but, quite suddenly, just redirects to the status screen.

As an aside - the copyright on both these firmware versions also shows 1995-2017.

I'm also confused about the behavior of the enable command in a SSH session. In both firmware versions listed above, if I login as a user with admin level privileges, then disable, it will give me the limited user menu. But, when I attempt to enable again, it presents with a password prompt that will never work, no matter which password is entered. However, if I simply hit <enter> at this password prompt without typing any password, it will return to the privileged mode state. Toggling back and forth between "enabled" and "disabled" is normal in the USG series devices and, while the addition of a password prompt as sort of a sudo privilege would make sense, it doesn't work in this case, making the presentation of a password prompt completely pointless - so, why is it there at all?

All Replies

  • Zyxel_DerrickZyxel_Derrick Zyxel Official Agent Posts: 62  mod
    Hi @danyedinak

    Thanks for your feedback.
    About changing SNMP community string, we can see the same behavior as yours.
    Therefore, we will discuss with the internal about it.
    For the enable command in the SSH session, there is no such issue when I login as a user with admin privilege in my local lab.
    Therefore, could you provide your configuration and the screenshots of the problem that you encountered?
    Thanks

    Best regards,
    Zyxel_Derrick 
  • danyedinakdanyedinak Member Posts: 25  Freshman Member
    I first identified these issues on my lab machine, and confirmed on a production switch. In the lab, it's an out of box configuration upgraded from 2.40(AAZI.1) to 2.40(AAZI.2)C0 to V2.40(AAZI.2) to V2.50(AAZI.0). What follows is a copy paste of the terminal commands and output. Note that the username isn't showing via the show privilege command, but, in this case, it is just admin, but the production account has a different username with the same behavior. You can see the password prompt appear immediately after the enable command is entered.

    GS1900# show info
    System Name      : GS1900
    System Location  : Location
    System Contact   : Contact
    MAC Address      : 5C:E2:8C:6D:1B:CB
    IP Address       : 192.168.199.2
    Subnet Mask      : 255.255.255.0
    Boot Version     : V2.00 | 07/17/2015
    Firmware Version : V2.50(AAZI.0) | 10/21/2019
    System Object ID : 1.3.6.1.4.1.890.1.15
    System Up Time   : 0 days, 16 hours, 46 mins, 44 secs
    GS1900# disable
    GS1900>
      enable      Turn on privileged mode command
      exit        Exit current mode and down to previous mode
      ping        Send ICMP ECHO_REQUEST to network hosts
      show        Show running system information
      traceroute  Trace route to network hosts
    GS1900> show privilege
    Current CLI Username:
    Current CLI Privilege: 1
    GS1900> enable
    Password:
    GS1900# show privilege
    Current CLI Username:
    Current CLI Privilege: 15


  • Zyxel_DerrickZyxel_Derrick Zyxel Official Agent Posts: 62  mod
    Hi @danyedinak

    Thanks for your information
    GS1900 series is a smart managed switch which does not support CLI command to configure switch.
    From V2.50, we have enhanced the security that only the account with admin privilege can SSH switch.
    Therefore, the admin privilege account can switch back and forth enable mode without password due to enable password is empty and can't be configured.
    Other users with non-admin privilege will be shut down immediately if they try to use SSH to login switch.
    Thanks

    Best regards,
    Zyxel_Derrick

  • danyedinakdanyedinak Member Posts: 25  Freshman Member
    Switching back and forth between admin privilege without a password is understandable, but, why prompt for a password at all? It's confusing since it doesn't even accept a valid password. No password prompt should appear when the enable command is entered.
  • Zyxel_DerrickZyxel_Derrick Zyxel Official Agent Posts: 62  mod

    It is common feature for switch to go back and forth the enable mode.
    That's why we keep it in the GS1900 series.
    I apologize for making you confuse and thanks for your advice.
    We will put it into the IDEAs to see if other users have the same idea.
    Thanks

    Best regards,
    Zyxel_Derrick
  • danyedinakdanyedinak Member Posts: 25  Freshman Member
    I think seeing if others agree is good, but I feel like the real problem isn't conveyed. It's the password prompt that is presented when entering enable and requires a null entry (and doesn't accept valid passwords) that's the entirety of the problem. There should either be no password prompt, or the prompt should accept a valid password.
Sign In to comment.