topic Re: Setting up SSH user with encrypted password in Switching

Setting up SSH user with encrypted password

athomas1 — Tue, 12 Apr 2022 09:12:52 GMT

Hello,

I've already got SSH access configured on my 9200L and it gave me a prompt for an admin user straight after when trying to login, however I didn't know the password. I've since created a user (config)#username XXX password XXX however this appears in unencrypted format. I've tried different command options to encrypt password but these either give an ambiguous error or encrypt everything after the password prompt.

I've read another thread on here saying to use secret instead of password command but the SSH prompt doesnt allow me to login with the secret and only gives me a password prompt.

I am fairly new to this level of programming so I'm probably missing something very obvious or silly, so some help on the matter would be greatly appreciated. I could leave the password in cleartext on the config, but I want to do it properly.

Re: Setting up SSH user with encrypted password

Flavio Miranda — Tue, 12 Apr 2022 10:57:39 GMT

did you try "service password-encryption"

Which 9200 IOS version do you have?

Re: Setting up SSH user with encrypted password

athomas1 — Tue, 12 Apr 2022 11:07:37 GMT

It's IOS 16.12

How would you integrate command, or is it a separate command you apply to the switch that automatically encrypts all level 0 passwords?

Re: Setting up SSH user with encrypted password

Flavio Miranda — Tue, 12 Apr 2022 11:21:07 GMT

The command above should l encrypt all password. Did it work?

Re: Setting up SSH user with encrypted password

athomas1 — Tue, 12 Apr 2022 11:35:37 GMT

Yes this appears to have worked, sure I tried this before but it didn't work, none the less I am happy it has now. The username password is encrypted to level 7. I think this command may have also encrypted another password that I think was in cleartext level 0 before.

Exactly what affect does applying this command have on any level 0 passwords? Does it simply encrypt any level 0 passwords found to level 7? I've read the level 7 encryption is quite easily crackable, is there any way to apply this command to level 9 instead?

Re: Setting up SSH user with encrypted password

Flavio Miranda — Tue, 12 Apr 2022 11:42:57 GMT

This command is as it is, you can´t execute it differently.

What you should do is create your password properly.

Device> enable
Device# configure terminal
Device(config)# enable password level 12 example123

Device(config)# enable secret 9 $9$sMLBsTFXLnnHTk$0L82

Device(config)# service password-encryption

Re: Setting up SSH user with encrypted password

athomas1 — Tue, 12 Apr 2022 11:53:52 GMT

Thanks for your explanation above. I have properly setup enable secret and password to protect access to privilledged exec. What I am trying to setup is a user to login to SSH with as I tried the enable secret with username admin and root and it didn't work.

Re: Setting up SSH user with encrypted password

balaji.bandi — Tue, 12 Apr 2022 11:53:57 GMT

0 is clear, you need to use anything above like you said 7 to encrypt, check below one help better :

https://learningnetwork.cisco.com/s/article/cisco-routers-password-types

Re: Setting up SSH user with encrypted password

athomas1 — Tue, 12 Apr 2022 11:59:28 GMT

I think I tried to access the above link before and it didnt work properly, im pleased to say this one did. So how would you execute the type 9 password with a username for purposes of logging in to SSH?

Re: Setting up SSH user with encrypted password

athomas1 — Tue, 12 Apr 2022 12:08:02 GMT

I've just tried the command mentioned in the link you sent- I skimmed over the bit I needed of course (doh).

R1(config)# username [user] algorithm-type scrypt secret [pw]

This is what I submitted and it appears to have hashed the password to scrypt. Done a show run and the password shows as secret 9 followed by encrypted password.

I should be able to do this to the enable password as well yes?

Re: Setting up SSH user with encrypted password

athomas1 — Tue, 12 Apr 2022 12:43:37 GMT

Since type 7 password as used for virtual terminal is reversible and easily crackable is it possible to use a higher encryption for this? I'm thinking about a telnet connection into a switch and whilst its not good practice to use it anymore I also dont want to disable it. Is the virtual terminal password left as type 7 since the enable secret can be encrypted to level 12 and you need both anyway?

Re: Setting up SSH user with encrypted password

balaji.bandi — Tue, 12 Apr 2022 13:06:09 GMT

I should be able to do this to the enable password as well yes?

Re: Setting up SSH user with encrypted password

athomas1 — Tue, 12 Apr 2022 13:09:59 GMT

So the enable password for virtual terminal can only be encrypted to type 7?

I've been looking at how to disable telnet, from what Ive read enable SSH should automatically disable it but it's not. Could you advise what commands required?

Re: Setting up SSH user with encrypted password

balaji.bandi — Tue, 12 Apr 2022 13:13:17 GMT

Not sure what IOS XE running here

try :

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9500/software/release/16-11/configuration_guide/sec/b_1611_sec_9500_cg/controlling_switch_access_with_passwords_and_privilege_levels.html#task_rqw_nt3_mgb

Re: Setting up SSH user with encrypted password

athomas1 — Tue, 12 Apr 2022 13:21:47 GMT

it's running 16.12

Re: Setting up SSH user with encrypted password

Richard Burts — Tue, 12 Apr 2022 19:10:07 GMT

There are several parts of this that deserve some comments:

- when you enable service password encryption it does not change any existing passwords. But will encrypt (certain) passwords as they are configured.

- there are several references to vty passwords, bear in mind that there are multiple options for passwords used for vty and how they are encrypted.

= the most simple is the vty line password. This is configured on the vty lines and is used to authenticate remote access sessions. It stops being used if you configure login local on the vty or if you configure aaa new-model.

= if you configure login local or configure aaa authentication with an option to use local passwords then the device will authenticate attempts for remote access using locally configured user names and passwords. Note that different users might have different types of encryption for their passwords.

= you can configure aaa authentication to use an authentication server to authenticate attempts for remote access. The type of encryption for these users will depend on the authentication server.

- when you activate SSH it does not automatically disable telnet access. If you want to use only SSH (no telnet) then on the vty lines configure transport input ssh and this will use SSH and not allow telnet.

- there are 2 levels of passwords that might be used for remote access. Typically there is a user level password which would grant access to user mode and an enable level password to grant access to privileged mode. Note that there are configuration options in which a user might authenticate once (with the user level password) and then be put directly into privileged mode (without requiring a separate password)

Re: Setting up SSH user with encrypted password

athomas1 — Wed, 13 Apr 2022 08:42:38 GMT

Thanks Richard that is very useful. I have some questions back if you don't mind.

Is it considered good practice when SSH access is configured to have telnet disabled, or leave it enabled as an alternative access route even though the traffic would be unencrypted between user and switch? I currently have SSH local user access (i think this is an accurate description) configured and transport ssh configured separately, Both telnet and SSH access work. I've configured username and secret instead of password to allow me to use highest level of encryption available in 16.12 IOS instead of the password type7 which is basically useless given the ease of reverse decryption online. Or is this required by the IOS to be able to decrypt the password?

What is the best practice for accessing the switch via SSH and how would you suggest configuring this? There is a smallish team here and we don't have need for multiple local users, but SSH is a must.

Re: Setting up SSH user with encrypted password

Richard Burts — Wed, 13 Apr 2022 10:38:17 GMT

In my experience it varies from organization to organization whether to disable telnet and enable only SSH. Some like having an alternative that would work if some problem developed with SSH. Others are concerned about the lack of encryption in telnet and have heightened security requirements and disable telnet access. Where is your organization on this continuum?

I am wondering about this statement "transport ssh configured separately, Both telnet and SSH access work." Am I correct in understanding that you have configured transport input ssh (for some of the vty) and that telnet still works? For historical reasons Cisco divides vty lines into 2 groups (0 through 4 and others). If you configure transport input ssh on vty 0 4 but not on the other vty lines then telnet would still work. If you want telnet disabled then you need to do that on all the vty lines.

You say " I've configured username and secret instead of password to allow me to use highest level of encryption available in 16.12 IOS" But in a previous response you say that you have created a user with type 9 encrypted password. So user name secret is not the highest level of encryption available.

You ask "What is the best practice for accessing the switch via SSH" To answer this we would need a better understanding of the level of concern in your organization about security on the network. Multiple user accounts configured on the device is ok if security concerns are not so high. If security concerns are high then you should enable aaa for authentication (and perhaps authorization) and use an authentication server (Tacacs or Radius), have a single local user name and password (to be used if there are problems.

Re: Setting up SSH user with encrypted password

athomas1 — Wed, 13 Apr 2022 12:39:37 GMT

So currently we use telnet which I know is not good practice because of the lack of transport encryption. I am using SSH going forward but wasn't if there was set good practice as to whether telnet is left as an alternative if disabled for security. If it more so dependent on the organizations requirements I will make a decision internally on this.

I had noticed there were two groups for vty lines, which i was a bit confused about, but yes you are correct with your understanding- transport ssh is set on one group but not the other. Would I just set transport ssh on both groups or is there a way to disable/ remove the one group? I can get to all my switch stacks easily enough to use serial as a backup connection so i have no particular need to leave to telnet enabled even as a backup line.

What are the highest levels of encryption readily available for secret or password? I was under the impression from https://learningnetwork.cisco.com/s/article/cisco-routers-password-types that type 9 was the highest level.

Where different users and passwords are concerned and choice of use, security is a big concern for us as would be for any organization, but we're not Bank of England either... So a healthy level of security where we might have a single user for ssh access and also the privileged access. How would you suggest implementing this?

Re: Setting up SSH user with encrypted password

Richard Burts — Fri, 15 Apr 2022 20:05:41 GMT

From a security perspective certainly SSH is better than telnet. Whether telnet is tolerated and used as a secondary choice for access or is treated as a potential threat and disabled depends on the security environment of the organization. I do not know about your organization but I am guessing that you may want to disable telnet and use only SSH.

In the early days of IOS the vty ports were 0 to 4. Then Cisco added support for additional vty. I assume that it was to provide compatibility with older versions but 0 4 has always been separate from 5 15 (or whatever number of vty that you might have). I do not believe that there is any way to eliminate either group. If you wanted to disable one group (or disable some ports in a group) you could configure those vty with transport input none.

If you or your organization are concerned about security of passwords etc then my suggestion would be to transition away from locally configured user and password and implement an authentication server (Tacacs or Radius). Leave one user and password in the configuration to be used for access if there are problems with the authentication server.