cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
783
Views
5
Helpful
3
Replies

Passwords in configuration file

We have a security finding that SNMP and LDAP credentials can be extracted in clear text from the configuration dump file but when I try to download the file, system asks me to either mask or encrypt the passwords. Not sure if there is any KB or article from Cisco

3 Replies 3

UdupiKrishna
Cisco Employee
Cisco Employee

The mask option simply gonna change passwords into asterisk like we see on Cisco switches. On the other hand encrypt option as the name says encrypts the password which again can only be decrypted by ESA.

Here's a config snippet,

Mask password

<ldap>
<ldap_server>
<ldap_server_name>LabAD</ldap_server_name>
<ldap_server_port>389</ldap_server_port>
<ldap_server_hostname>X.X.X.X</ldap_server_hostname>
<ldap_server_type>ad</ldap_server_type>
<ldap_server_pass>*****</ldap_server_pass>

Encrypt password

ldap>
<ldap_server>
<ldap_server_name>LabAD</ldap_server_name>
<ldap_server_port>389</ldap_server_port>
<ldap_server_hostname>X.X.X.X</ldap_server_hostname>
<ldap_server_type>ad</ldap_server_type>
<ldap_server_pass>8dH+PEfzkHCS+KARBtogTmb+LHQU/WSqrJNqjypVwE0LieqoPHGjus78GsCNFEWG</ldap_server_pass>

Thank you! Can we consider that configuration fill will NOT have passwords in plain text?

That is correct, the config file will not have passwords saved in plain text in the newer versions. In the older version i.e. 11.X and older, there was an additional option called "plain text passwords" during configuration file download which was removed in the newer versions.