Re: ERROR: Malformed pbkdf2 hash

KelvinThomas50734 · ‎04-05-2020

I am trying to configure ASA with pbkdf2 encryption algorithm type for both username password and enable password.
username <username> password <password> pbkdf2 privilage 15
ERROR: Malformed pbkdf2 hash
enable password <password> pbkdf2
PBKDF2 hashed enable password 'password' is malformed

dcchamilton · ‎04-21-2020

I am having a similar issue with migrating the configuration from one ASA to another ASA for replacement, Initially I copied the configuration from one 5508-X to the new 5516-X both at the same 9.10.1 version. Once satisfied the config came over Ok, I upgraded to 9.13. I had upgraded to 9.14, with the ASDM 7.14 and the ASDM was flaky and kept locking up, but that is another story. Downgrading to 9.13 worked fine, and is stable. However, a few other users had been added to the old 5508-X while working with the new one. So backed up 5508-X to local config, imported the config into Excel. Copied 2 of 3 users with their properties and encrypted password just fine, but third failed due to "Error: Malformed pbkdf2 hash". "Error: Username addition failed.". I have never seen this before, and there does not seem to be any issue with the account, and if the passwords did not match during creation, it would have not been created. I have moved users from ASA to ASA with this method many times without this issue. Short of re-creating the user in the new ASA and setting a new password, my concern is that there is an issue with this process, or the encryption process. This is similar to backing up a configuration and restoring it to a different ASA, so I would expect this to just work.

Marvin Rhoads · ‎04-21-2020

Depending on when the username was created the account password may or may not be stored with a pbkdf2 hash.

Older passwords use an md5 hash type.

dcchamilton · ‎04-21-2020

it was created several days ago, and I just tried to migrate it to the new ASA yesterday, and had the error. The user was using it successfully just fine, so I know the password was usable. I just worked with the user, and changed the password on the first ASA. Then I performed the exact same steps as described above and the account imported fine into the new ASA. The password was somehow not in a good state even though it was working for the user. Or there is still something with the encryption process. I had performed the configuratin backup 3 times as well, just in case that was the failure, but that had the same results. Changing the password on the original ASA resolved the issue, even though it worked for the user the way it was. Just something to think about.

MarkDuckson63340 · ‎07-20-2021

We are running CSM 4.22 SP1 and getting the same error regarding hashed enable password is malformed when deploying to ASA5585 on 9.6.4.12

Cisco referenced:

[ENH-CSM] Ability to configure short length passwords using "PBKDF2" hash via CSM .

CSCvq78563

But, this is not exactly the issue. Has anyone been able find a solution to deploying a 33+ character enable password under PBKDF2? The recommended work-around was to use MD5 - not a viable solution for us.

Thanks

eduardw · ‎07-14-2022

I run into the same problem when trying to setup the enable password. It looks like it is not possible to use an enable password shorter then 33 characters when using CSM and using the PBKDF2 hash. I also could not get it working by using the cli.

Our company policy does not allow us to use md5 as a hash anymore. For normal operation we use AAA and you logon directly in enable mode. But by problems when AAA is not working we need to use local authentication and using a 33 character password is not workable. Is this ios or csm related I would hate to see that we need to upgrade all our ASA firewalls again.