Solved: yes secret sets it for md5

Gideon Goddard · ‎12-02-2015

Hello,

I configure telnet and ssh access on a test router.

Here is my conf :

R1(config)#username cisco2 password cisco

R1(config)#line vty 0 4

R1(config-line)#login local

R1(config)#ip domain-name abc.com

R1(config)#crypto key generate rsa general-keys modulus 1024

The name for the keys will be: R1.abc.com

% The key modulus size is 1024 bits

% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

*Mar 1 00:07:59.295: %SSH-5-ENABLED: SSH 1.99 has been enabled

R1(config)#ip ssh version 2

R1(config)#line vty 0 4

R1(config-line)#transport input ssh telnet

Is it possible to do these access only by a password ?

Mark Malone · ‎12-02-2015

There is no other information for it thats all it does , are you sure it was not already in by default in the startup-config some routers/switches its already set for security reasons

If you have the service password-encryption command enabled, the password you enter is encrypted. When you display it with the more system:running-config command, it is displayed in encrypted form.

If you specify an encryption type, you must provide an encrypted password—an encrypted password you copy from another router configuration.

View solution in original post

Mark Malone · ‎12-02-2015

Hey try this

remove username cisco2 password cisco

change login local to just login under vty adn then set password under vty

password xxxx

That should work but its less secure , ás well wouldnt allow telnet you can sniff the wire for the password

Gideon Goddard · ‎12-02-2015

Thank you it works !

Yes I sensibilize lack of security about telnet instead of ssh.

Final question, what does it change change if I encrypt a secret password :

conf t

enable secret cisco1

service password-encryption

It doesn't seems to change the sh run, so it is usesell to add service password-encryption ?

Mark Malone · ‎12-02-2015

so when you enable service [password basically when you do a show run you wont see cisco1 anymore it will be scrambled

Gideon Goddard · ‎12-02-2015

For exemple :

Router#conf t
Router(config)#enable secret cisco
Router(config)#do sh run

[...]
enable secret 5 $1$INqJ$0AiQb11Q8Lx.WOvG5PQwA.

[...]

Router(config)#service password-encryption
Router(config)#do sh run
[...]
enable secret 5 $1$INqJ$0AiQb11Q8Lx.WOvG5PQwA.

[...]

Have a look, I can't see the impact of the command service password-encryption on the password ..

Can you give me more information ?

Mark Malone · ‎12-02-2015

There is no other information for it thats all it does , are you sure it was not already in by default in the startup-config some routers/switches its already set for security reasons

If you have the service password-encryption command enabled, the password you enter is encrypted. When you display it with the more system:running-config command, it is displayed in encrypted form.

If you specify an encryption type, you must provide an encrypted password—an encrypted password you copy from another router configuration.

Gideon Goddard · ‎12-02-2015

So there is no need to activate the command service password-encryption if I set a enable secret mypassword because the parameter "secret" already crypted the password ?

Mark Malone · ‎12-02-2015

yes secret sets it for md5 automatically but if you have a standard enable password cisco1 it will encrypt that too but you should always try use the md5 where possible

Gideon Goddard · ‎12-02-2015

Thanks you very much :)

[CISCO ROUTER 3725]Configure ssh and telnet without login, only a password