Re: Type 9 (Scrypt) Password doesn't work for console access

tschafferx · ‎06-03-2019

Hi community,

I just configured a scrypt type 9 password and wanted to use it for my console login. It seems like the ISR 4331 cannot process this password. Is this a known limitation or might it be a bug.

Thank you in advance.

Best regards

Thomas

Richard Burts · ‎06-03-2019

Thomas

Can you tell us what version of code your 4331 is running? It could very well be that your 4331 is running a version that does not support this type of password.

HTH

Rick

HTH

Rick

tschafferx · ‎06-06-2019

Hi Richard,

thank you for the reply.

We are running SW Version 16.6.4 (Everest).

Richard Burts · ‎06-06-2019

Did you enable the scrypt algorithm? Can you show us the exact syntax you used in configuring the password and the response from the router?

HTH

Rick

HTH

Rick

tschafferx · ‎06-06-2019

Hi Richard,

these are the steps I made:

1st: In order to get a Type 9 hash I entered the following command: enable algorithm-type scrypt secret password

this gave me the type 9 hash which I used with the following command username cisco priviledge 15 password 9 hash

after that I set the login local at the line con 0 level.

That resulted in an unsuccessful login on the console level. Error message %Bad Secrets

Best regards.

Richard Burts · ‎06-08-2019

Thanks for the additional information. i suggest that you try this version of the command

username cisco priviledge 15 secret 9 hash

HTH

Rick

HTH

Rick

tschafferx · ‎06-11-2019

Hi Rick,

thank you for the Input. That's the command I used initially. Sorry I had a typo in my previous message.

Could that be a bug?

Best regards

Thomas

Richard Burts · ‎06-13-2019

Glad to know that it was a typo in your message. I certainly can not rule out the possibility of a bug. But I think it more likely that there was some flaw in your process of creating the hash and in using the hash in creating the user id. I would suggest that you try it again. This time use some very simple password (nothing elaborate, no special characters etc) and create a new hash, then configure a user id using the new hash. If it still does not work it might be a good idea to open a case with Cisco TAC about this. They would be the best ones to determine if it were a bug.

HTH

Rick

HTH

Rick

tschafferx · ‎06-14-2019

Hello Richard,

thank you for your message. I will give it a try. My main concern would have been if I had a wrong Syntax or if the feature is not supported on that specific IOS.

Best regards.

Richard Burts · ‎06-14-2019

If it were an issue with the feature not supported in that version I would certainly expect an error message when you attempted the command. Since there was no error message it should be safe to assume that it is supported. There might be some issue about syntax but what we have seen so far seems your syntax was ok. Cant rule out a bug. But I still think there might be some issue about the particular password or some human issue in the generation of the hash and the transfer of the hash to the user id password command.

HTH

Rick

HTH

Rick

jorgbudo85 · ‎12-07-2021

Hello,

Did you manage to resolve the issue?

i'm dealing with the same problem...

kind regards

Jorg

Richard Burts · ‎12-07-2021

Jorg

It is not clear whether the original issue was resolved. The link to the discussion in the Learning Network is pretty good. If you have not yet looked at it I suggest that it might be helpful.

Can you tell us details of what you have tried and what the results were? Also what platform and what version of code might be helpful information.

HTH

Rick

richardcreed · ‎03-26-2021

ena algorithm-type scrypt secret cisco

username demo9 algorithm-type scrypt secret cisco

Kind of old post, but the commands should look like this? It will hash the value you replace "cisco" with.

"https://learningnetwork.cisco.com/s/article/cisco-routers-password-types"

paul driver · ‎12-07-2021

Hello

As you have the username set to privilege 15 access you shouldn't require any enable secret password unless you have other usernames applied to the local database of the rtr that have lower privilege levels.

Try this and test again
no username
username xxxx privilege 15 algorithm-type secret xxx

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

benweber · ‎06-08-2022

I know it's an old post but I'm having a similar problem on a bunch of 9200l switches. All of them take the scrypt passwords with either:

enable algorithm-type scrypt secret <password>

or

username <username> priv 15 algorithm-type scrypt secret <password>

In every case the switch takes the commands and they show up in the config. However, on some switches (all of which are identical hardware running the same code version) they will simply stop working, giving an incorrect username or password error.

We've decided to use use type 8 sha256 passwords to get around it. But there are definitely issues with type 9 passwords not working properly.

On all of our switches where they aren't working they worked initially but then stopped without our having made any configuration changes.

B