AlSolorzano.com

How to reset the password of a Citrix Access Gateway (2000/2010 models)

I was told by Citrix support that a password reset nor a password recovery were possible after a client had forgotten the password (and they were uncertain how up to date their last back of the config was), but a co-worker (Richard Montoya) got me thinking after he stated "It's just linux. Try and break in like it is linux." So I did. It took me awhile since I was not changing the correct file (I originally went for /etc/passwd and /etc/shadow files but it wasn't. Once we found the right file (/config/passwd), then it all became much easier. Hopefully someone may find this useful... 

Note: I tested on a Virtual Machine on VMware Workstation 6.5 that I built using this web site: http://frameworkx.com/file.aspx?id=18 (DO NOT USE FOR PRODUCTION USE!!!). I then tested on a few other VMs on other computers to verify there isn't a hash of some sort with a MAC address or Hard drive serial number. Then we performed the steps on the actual physical Citrix Access Gateway 2000 boxes and it also worked. I used the 4.5.2 firmware, the 4.5.6 firmware and 4.5.8 firmware.

Also, you can add other accounts in the file. I don't necessarily recommend it, but if you have a standard account like admin:Cra$yPa$$w0dr that you use for other devices... then add another line with the admin:<one of the key sequences I have below>, then reboot the CAG, log in using the account into the Web Site, and then change the password to your standard password. Just interesting to note you can do that also.

If you get this working on a 2010 model that requires a Boot from USB, please leave a comment below to help everyone out. If I confirm it on a 2010 anytime soon, I will update this also.

1. Download Ubuntu (any Ubuntu CD can be run from the ISO/CD) or a Knoppix Live Desktop cd (Hint: P2V boot CD from VMware runs Knoppix.)
   For the purposes of this document I used Ubuntu 8.10 Desktop Edition from http://www.ubuntu.com/getubuntu/download
   
2. Burn to a CD (I used this method for the VM under VMware Workstation 6.5 and the older Citrix Access Gateway 2000 model)
   OR
   Boot a workstation from Ubuntu CD to create a USB Startup Disk (See To Create a Bootable USB with Ubuntu later in this document)
   Launch Create USB Startup Disk from the System drop down.
   Create USB Startup Disk.
   
3. Attach a Keyboard, Monitor and Mouse to the back of the CAG.
   
4. Boot the CAG from the CD. (Make sure Boot to CD is above boot to hard drive in the BIOS OR to Removable Devices if you are using USB)
   
   Select English if it prompts you for a language and then select "Try Ubuntu without any changes to my computer".
   
   


5. Open a shell from Application -> Accessories >Terminal
   
   


6. Run the following commands:
   
   sudo mkdir /cag
   sudo mount /dev/sda1 /cag
   sudo nano /cag/config/passwd               (you can use vi if you want)
   
7. Replace the text after the root: with eq5t9SK0L7uWx/WfEF2ub7DNsQU=  
   So the old file will look like this (where XXXXXXX are the unknown encrypted password)"
   root:XXXXXXXXXXXXXXX=
   
   When you are down the file should look like this:
   root:eq5t9SK0L7uWx/WfEF2ub7DNsQU=
                      ^Zero    ^yes the slash needs to be there
   
   This will rest the Citrix Access Gateway back to rootadmin as the password.
   
   Nano
   
   VI    
   
   
   Note: root:= and root: DO NOT WORK! So you can't have a blank password. Citrix does not allow less then 6 characters password via the normal methods to change the password.

             Letter Key to help with zeros, O's, l's and ones. 
                

8. Assuming you used Nano as the text editor, Ctrl+X to save and exit, Y to save and then <enter> to overwrite the existing file.
   
   If you are using, vi <esc> :wq! <enter>
   
9. Run the following commands:
   
   sudo umount /cag
   


10. To shutdown Ubuntu, click on System and then Shut Down.
    
    
11. Remove the USB drive (if this method was used), then power on CAG and quickly eject Ubuntu CD (if this method was used).
    
12. Login with username and password of root and rootadmin via the console cable, Citix Access Gateway Administration Tool or the Citrix Access Gateway Administration web page (https://ipofcag:9001/)
    
    Notes:
    To set the password to chosen1 Just so it isn't the default, use the following
    root:S+jdhHi1BaLMVq0mln3ycsLTQ+c=
                                         ^ Lower L
                       ^One      ^Capital O
    
    
    To set the password to password
    root:i1UWsoY8Zyg2yKJ8zD7UeOvgzBI=
    

To Create a Bootable USB with Ubuntu

1. Boot of the Ubuntu CD just as above.
   


2. Select System > Administration > Create a USB Startup Disk
   


3. Make sure the USB is inserted and click Make Startup Disk.
   
   


4. Once it is done, click on Quit.
   
   


5. To shutdown Ubuntu, click on System and then Shut Down.