Īaa authentication ppp default if-needed local Sample show tech-support command output is shown here. You can use the show tech-support command, which sanitizes the information by default. When you send configuration information in e-mail, sanitize the configuration from type 7 passwords. The password has been encrypted with the weak reversible algorithm. The enable secret has been hashed with MD5, whereas in the command: username jdoe password 7 07362E590E1B1C041B1E124C0A2F2E206832752E1A01134D If the digit is a 5, the password has been hashed with the stronger MD5 algorithm.įor example, in the configuration command: enable secret 5 $1$iUjJ$cDZ03KKGh7mHfX2RSbDqP. If that digit is a 7, the password has been encrypted with the weak algorithm. To determine which scheme has been used to encrypt a specific password, check the digit before the encrypted string in the configuration file. With a separate enable password, administrators need to remember the password when they force a downtime for a software upgrade, which is the only reason to log in to boot mode.Īlmost all passwords and other authentication strings in Cisco IOS configuration files are encrypted with the weak, reversible scheme used for user passwords. If you set enable password to a different value because the boot image does not support enable secret, your router administrators must remember a new password that is used infrequently on ROMs that do not support the enable secret command. ![]() If you set the enable password to the same as the enable secret, you have made the enable secret as prone to attack as the enable password. If someone has physical access to the device, they can easily subvert the device security without a need to access the boot image. Use of an enable password can be unnecessary if you have physical security so no one can reload the device to the boot image. If the boot image does not support enable secret, note these caveats: Look at your boot image with the show version command from your normal operating mode (Full Cisco IOS image) to see if the boot image supports the enable secret command. Which Cisco IOS Image Supports enable secret? Indeed, the strength of the encryption used is the only significant difference between the two commands. Note: This applies only to passwords set with enable secret, and not to passwords set with enable password. As far as anyone at Cisco knows, it is impossible to recover an enable secret based on the contents of a configuration file (other than by obvious dictionary attacks). The only instance in which the enable password command can be tested is when the device is in a boot mode that does not support the enable secret command.Įnable secrets are hashed with the MD5 algorithm. Use the enable secret command for better security. The enable passwordcommand is no longer recommended to be used. The enable secret and enable password Commands ![]() It was never intended to protect against someone who conducts a password-cracking effort on the configuration file.īecause of the weak encryption algorithm, it has always been the Cisco position that users treat any configuration file that contains passwords as sensitive information, the same way they would treat a clear text list of passwords. The encryption scheme was designed to avoid password theft by simple snooping or sniffing. The scheme used by Cisco IOS for user passwords was never intended to resist a determined, intelligent attack. We would expect any amateur cryptographer to be able to create a new program with little effort. User passwords, and most other passwords ( not enable secret s) in Cisco IOS configuration files, are encrypted with a scheme that is very weak by modern cryptographic standards.Īlthough Cisco does not distribute a decryption program, at least two different decryption programs for Cisco IOS passwords are available to the public on the internet the first public release of such a program of which Cisco is aware was in early 1995. Conventionsįor more information on document conventions, refer to the Cisco Technical Tips Conventions. If your network is live, ensure that you understand the potential impact of any command. All of the devices used in this document started with a cleared (default) configuration. The information in this document was created from the devices in a specific lab environment. This document is not restricted to specific software and hardware versions. There are no specific requirements for this document. AAA can use local, RADIUS, and TACACS+ databases. Note: Cisco recommends that all Cisco IOS® devices implement the authentication, authorization, and accounting (AAA) security model.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |