01-30-2015 06:04 PM - edited 02-21-2020 05:23 AM
I am generating configuration files for customer equipment from a perl script and everything works fine, but I do not feel comfortable embedding passwords in plain text. I am expecting that the customer may have to load some of the configs and it does not follow good security practices to leave the passwords un-encrypted. I have been able to work out the process of hashing passwords fed in from the command line for standard router and switches that use the IOS MD5, and the Type 7 hash used for radius keys, but I have no idea what the crypto method is for the ASA user accounts. I have been working through several of the known hash types to try and match output to a known input, but since I do not know if the algorithm is static or dynamic, I do not know if I will find a match.
Anyone have any insight in to what algorithm is used for the hash?
Thanks,
Rod
01-30-2015 10:01 PM
It's probably PIX-MD5 no salt.
02-02-2015 06:49 AM
I will try that and let you know.
01-31-2015 04:44 PM
As best as I know, it's a variant of base-64 encoded MD5 hash.
Cisco doesn't publish the method but some folks assert you can recreate the password programmatically. Reference.
02-02-2015 06:54 AM
I have read through a couple of write-ups on this and one seemed interesting in that it referenced a MD5 has (16 or 32 character maximum, depending on the version of IOS) and a 4 character hash based on the first four characters of the username. If I get a chance, I will try this, but it is a heck of a lot harder to code in for a script to pass in through the command line.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide