[c-nsp] enable secret 'password'

Jeremy Bresley brez at brezworks.com
Tue Nov 27 00:30:52 EST 2012


On 11/26/2012 11:08 PM, Mikael Abrahamsson wrote:
> On Tue, 27 Nov 2012, Andrew Miehs wrote:
>
>> Hi all,
>>
>> Cisco Cat 4500 running 
>> cat4500e-universalk9.SPA.03.03.02.SG.151-1.SG2.bin
>>
>> Warning: The CLI will be deprecated soon
>> 'enable secret 5 $xxxxxxxxxxxxxxxxxxxxxxxxx/'
>> Please move to 'enable secret <password>' CLI
>>
>> Any suggestions on how to get around this - I don't really want the
>> password lying around in plain text...
>
> If you do what it asks and have "service password-encryption" enabled, 
> what happens? I doubt it'll be in plaintext anyway.
>
Type the password in as "enable secret yourpasshere" one time, and look 
at the config.  It will probably show type 4 instead of type 5 after you 
do that.  Newer passwords are using SHA256 hashing instead of MD5.  Once 
you've entered it and have the type 4 hash, you can copy/paste that into 
your config scripts and be fine as long as the devices are all running 
new enough code to support it.  Not sure what FN calls it, but the IOS 
Security command reference at 
http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-e1.html#GUID-944C261C-7D4A-49E1-AA8F-C754750BDE47
  lists that it was added in 15.1(4)M code for IOS, 15.0(1)S, and IOS XE 
3.1S.  In IOS XE 3.3.0SG they mention that type 5 was removed.

They also mention the caveat that if you downgrade a device with SHA256 
enable to one without it, the enable secret will be removed, which might 
lead to some interesting password recoveries if you roll this out 
everywhere and have to downgrade to older code due to bugs.

Jeremy "TheBrez" Bresley
brez at brezworks.com


More information about the cisco-nsp mailing list