03-17-2021 11:19 AM
Hi !
Can we enable type-8 or type-9 passwords on cisco Nexus 7000 switches ?
I can see the max type supported on my nexus is type-5.
I want to create a local database of username and passwords on the switches.
Sw 8.3(2)
Solved! Go to Solution.
03-29-2021 11:48 PM
Copy this answer from TAC :
When customers coming from IOS/IOS-XE look for Type 8 or Type 9 encryption for secrets, they usually want either SHA256 encryption or scrypt encryption. However, at first glance, NX-OS only offers Type 5 encryption (which in an IOS/IOS-XE world means MD5 hashing, which is obviously not secure).
In reality, NX-OS's "Type 5" encryption encrypts clear-text passwords using SHA256 along with a 5000-iteration of a 64-bit salt. This means that NX-OS's Type 5 encryption is equivalent to IOS/IOS-XE's Type 8 encryption. This is documented under the "Configuring User Accounts" heading of the "Managing User Accounts" chapter of the Cisco Nexus 7000 Series NX-OS Security Configuration Guide, quoted below:
"You can enter the password in clear text format or encrypted format. The Cisco NX-OS password encrypts clear text passwords before saving them to the running configuration. Encrypted format passwords are saved to the running configuration without further encryption. SHA256 is the hashing algorithm used for password encryption. As a part of the encryption, a 5000 iteration of 64-bit SALT is added to the password."
Christopher Hart
Technical Consulting Engineer
Cisco TAC, Data Center Routing and Switching
03-29-2021 11:48 PM
Copy this answer from TAC :
When customers coming from IOS/IOS-XE look for Type 8 or Type 9 encryption for secrets, they usually want either SHA256 encryption or scrypt encryption. However, at first glance, NX-OS only offers Type 5 encryption (which in an IOS/IOS-XE world means MD5 hashing, which is obviously not secure).
In reality, NX-OS's "Type 5" encryption encrypts clear-text passwords using SHA256 along with a 5000-iteration of a 64-bit salt. This means that NX-OS's Type 5 encryption is equivalent to IOS/IOS-XE's Type 8 encryption. This is documented under the "Configuring User Accounts" heading of the "Managing User Accounts" chapter of the Cisco Nexus 7000 Series NX-OS Security Configuration Guide, quoted below:
"You can enter the password in clear text format or encrypted format. The Cisco NX-OS password encrypts clear text passwords before saving them to the running configuration. Encrypted format passwords are saved to the running configuration without further encryption. SHA256 is the hashing algorithm used for password encryption. As a part of the encryption, a 5000 iteration of 64-bit SALT is added to the password."
Christopher Hart
Technical Consulting Engineer
Cisco TAC, Data Center Routing and Switching
09-29-2022 11:51 AM
Hi Christopher ,
is there any documentation to show that type5 on NX OS using SHA256?
> it is making a mess and also on link you shared I can see only MD5
thank you in advance
01-19-2024 06:39 AM
HI Christopher
Can I check if NEXUS 7710 username creation support type 9 secret password?
Currently, all our username is type-5 password.
Current software version 7.3(3)D1(1)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide