Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Cisco: NSP

enable secret 'password'

 

 

Cisco nsp RSS feed   Index | Next | Previous | View Threaded


andrew at 2sheds

Nov 26, 2012, 7:57 PM

Post #1 of 6 (2752 views)
Permalink
enable secret 'password'

Hi all,

Cisco Cat 4500 running cat4500e-universalk9.SPA.03.03.02.SG.151-1.SG2.bin

Warning: The CLI will be deprecated soon
'enable secret 5 $xxxxxxxxxxxxxxxxxxxxxxxxx/'
Please move to 'enable secret <password>' CLI

Any suggestions on how to get around this - I don't really want the
password lying around in plain text...

Andrew
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


chuckchurch at gmail

Nov 26, 2012, 8:04 PM

Post #2 of 6 (2729 views)
Permalink
Re: enable secret 'password' [In reply to]

Seems a bit odd. Perhaps they're pushing you towards using the new type 4
SHA password hash that 15.x seems to introduce rather than the older and
now-viewed insecure MD5?

Chuck

-----Original Message-----
From: cisco-nsp-bounces [at] puck
[mailto:cisco-nsp-bounces [at] puck] On Behalf Of Andrew Miehs
Sent: Monday, November 26, 2012 10:58 PM
To: cisco-nsp [at] puck
Subject: [c-nsp] enable secret 'password'

Hi all,

Cisco Cat 4500 running cat4500e-universalk9.SPA.03.03.02.SG.151-1.SG2.bin

Warning: The CLI will be deprecated soon 'enable secret 5
$xxxxxxxxxxxxxxxxxxxxxxxxx/'
Please move to 'enable secret <password>' CLI

Any suggestions on how to get around this - I don't really want the password
lying around in plain text...

Andrew
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


swmike at swm

Nov 26, 2012, 9:08 PM

Post #3 of 6 (2725 views)
Permalink
Re: enable secret 'password' [In reply to]

On Tue, 27 Nov 2012, Andrew Miehs wrote:

> Hi all,
>
> Cisco Cat 4500 running cat4500e-universalk9.SPA.03.03.02.SG.151-1.SG2.bin
>
> Warning: The CLI will be deprecated soon
> 'enable secret 5 $xxxxxxxxxxxxxxxxxxxxxxxxx/'
> Please move to 'enable secret <password>' CLI
>
> Any suggestions on how to get around this - I don't really want the
> password lying around in plain text...

If you do what it asks and have "service password-encryption" enabled,
what happens? I doubt it'll be in plaintext anyway.

--
Mikael Abrahamsson email: swmike [at] swm
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


andrew at 2sheds

Nov 26, 2012, 9:25 PM

Post #4 of 6 (2745 views)
Permalink
Re: enable secret 'password' [In reply to]

Ah ha!

Looks like they were just removing the type 5 (md5) passwords.
Using "enable secret 4 <key>" works - so I don't need to put plain text
passwords in my templates....

Phew!

Thanks

Andrew


(config)#enable secret test
(config)#do show run | i enable secret
enable secret 4 bsPEUMVATKKO9yeUlJfE3OCzHlgf0s6goJpg3P1k0UU
(config)#
(config)#enable secret 4 bsPEUMVATKKO9yeUlJfE3OCzHlgf0s6goJpg3P1k0UU
(config)#



On Tue, Nov 27, 2012 at 3:04 PM, Chuck Church <chuckchurch [at] gmail> wrote:

> Seems a bit odd. Perhaps they're pushing you towards using the new type 4
> SHA password hash that 15.x seems to introduce rather than the older and
> now-viewed insecure MD5?
>
> Chuck
>
> -----Original Message-----
> From: cisco-nsp-bounces [at] puck
> [mailto:cisco-nsp-bounces [at] puck] On Behalf Of Andrew Miehs
> Sent: Monday, November 26, 2012 10:58 PM
> To: cisco-nsp [at] puck
> Subject: [c-nsp] enable secret 'password'
>
> Hi all,
>
> Cisco Cat 4500 running cat4500e-universalk9.SPA.03.03.02.SG.151-1.SG2.bin
>
> Warning: The CLI will be deprecated soon 'enable secret 5
> $xxxxxxxxxxxxxxxxxxxxxxxxx/'
> Please move to 'enable secret <password>' CLI
>
> Any suggestions on how to get around this - I don't really want the
> password
> lying around in plain text...
>
> Andrew
> _______________________________________________
> cisco-nsp mailing list cisco-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


brez at brezworks

Nov 26, 2012, 9:30 PM

Post #5 of 6 (2741 views)
Permalink
Re: enable secret 'password' [In reply to]

On 11/26/2012 11:08 PM, Mikael Abrahamsson wrote:
> On Tue, 27 Nov 2012, Andrew Miehs wrote:
>
>> Hi all,
>>
>> Cisco Cat 4500 running
>> cat4500e-universalk9.SPA.03.03.02.SG.151-1.SG2.bin
>>
>> Warning: The CLI will be deprecated soon
>> 'enable secret 5 $xxxxxxxxxxxxxxxxxxxxxxxxx/'
>> Please move to 'enable secret <password>' CLI
>>
>> Any suggestions on how to get around this - I don't really want the
>> password lying around in plain text...
>
> If you do what it asks and have "service password-encryption" enabled,
> what happens? I doubt it'll be in plaintext anyway.
>
Type the password in as "enable secret yourpasshere" one time, and look
at the config. It will probably show type 4 instead of type 5 after you
do that. Newer passwords are using SHA256 hashing instead of MD5. Once
you've entered it and have the type 4 hash, you can copy/paste that into
your config scripts and be fine as long as the devices are all running
new enough code to support it. Not sure what FN calls it, but the IOS
Security command reference at
http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-e1.html#GUID-944C261C-7D4A-49E1-AA8F-C754750BDE47
lists that it was added in 15.1(4)M code for IOS, 15.0(1)S, and IOS XE
3.1S. In IOS XE 3.3.0SG they mention that type 5 was removed.

They also mention the caveat that if you downgrade a device with SHA256
enable to one without it, the enable secret will be removed, which might
lead to some interesting password recoveries if you roll this out
everywhere and have to downgrade to older code due to bugs.

Jeremy "TheBrez" Bresley
brez [at] brezworks
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


A.L.M.Buxey at lboro

Nov 27, 2012, 12:57 AM

Post #6 of 6 (2719 views)
Permalink
Re: enable secret 'password' [In reply to]

Hi,

> Warning: The CLI will be deprecated soon
> 'enable secret 5 $xxxxxxxxxxxxxxxxxxxxxxxxx/'
> Please move to 'enable secret <password>' CLI
>
> Any suggestions on how to get around this - I don't really want the
> password lying around in plain text...

the password shouldnt be lying around in plaintext after entering the command -
it should be stored in encrypted format

alan
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Cisco nsp RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.