brez at brezworks
Nov 26, 2012, 9:30 PM
Post #5 of 6
On 11/26/2012 11:08 PM, Mikael Abrahamsson wrote:
> On Tue, 27 Nov 2012, Andrew Miehs wrote:
>> Hi all,
>> Cisco Cat 4500 running
>> Warning: The CLI will be deprecated soon
>> 'enable secret 5 $xxxxxxxxxxxxxxxxxxxxxxxxx/'
>> Please move to 'enable secret <password>' CLI
>> Any suggestions on how to get around this - I don't really want the
>> password lying around in plain text...
> If you do what it asks and have "service password-encryption" enabled,
> what happens? I doubt it'll be in plaintext anyway.
Type the password in as "enable secret yourpasshere" one time, and look
at the config. It will probably show type 4 instead of type 5 after you
do that. Newer passwords are using SHA256 hashing instead of MD5. Once
you've entered it and have the type 4 hash, you can copy/paste that into
your config scripts and be fine as long as the devices are all running
new enough code to support it. Not sure what FN calls it, but the IOS
Security command reference at
lists that it was added in 15.1(4)M code for IOS, 15.0(1)S, and IOS XE
3.1S. In IOS XE 3.3.0SG they mention that type 5 was removed.
They also mention the caveat that if you downgrade a device with SHA256
enable to one without it, the enable secret will be removed, which might
lead to some interesting password recoveries if you roll this out
everywhere and have to downgrade to older code due to bugs.
Jeremy "TheBrez" Bresley
brez [at] brezworks
cisco-nsp mailing list cisco-nsp [at] puck
archive at http://puck.nether.net/pipermail/cisco-nsp/