[c-nsp] enable secret 'password'
Jeremy Bresley
brez at brezworks.com
Tue Nov 27 00:30:52 EST 2012
On 11/26/2012 11:08 PM, Mikael Abrahamsson wrote:
> On Tue, 27 Nov 2012, Andrew Miehs wrote:
>
>> Hi all,
>>
>> Cisco Cat 4500 running
>> cat4500e-universalk9.SPA.03.03.02.SG.151-1.SG2.bin
>>
>> Warning: The CLI will be deprecated soon
>> 'enable secret 5 $xxxxxxxxxxxxxxxxxxxxxxxxx/'
>> Please move to 'enable secret <password>' CLI
>>
>> Any suggestions on how to get around this - I don't really want the
>> password lying around in plain text...
>
> If you do what it asks and have "service password-encryption" enabled,
> what happens? I doubt it'll be in plaintext anyway.
>
Type the password in as "enable secret yourpasshere" one time, and look
at the config. It will probably show type 4 instead of type 5 after you
do that. Newer passwords are using SHA256 hashing instead of MD5. Once
you've entered it and have the type 4 hash, you can copy/paste that into
your config scripts and be fine as long as the devices are all running
new enough code to support it. Not sure what FN calls it, but the IOS
Security command reference at
http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-e1.html#GUID-944C261C-7D4A-49E1-AA8F-C754750BDE47
lists that it was added in 15.1(4)M code for IOS, 15.0(1)S, and IOS XE
3.1S. In IOS XE 3.3.0SG they mention that type 5 was removed.
They also mention the caveat that if you downgrade a device with SHA256
enable to one without it, the enable secret will be removed, which might
lead to some interesting password recoveries if you roll this out
everywhere and have to downgrade to older code due to bugs.
Jeremy "TheBrez" Bresley
brez at brezworks.com
More information about the cisco-nsp
mailing list