07-24-2015 01:52 AM - edited 03-08-2019 01:05 AM
I am going to change the password to a new one, but I got the issue as below:
test(config)#username test privilege 15 secret 5 tanjia
ERROR: The secret you entered is not a valid encrypted secret.
To enter an UNENCRYPTED secret, do not specify type 5 encryption.
When you properly enter an UNENCRYPTED secret, it will be encrypted.
How can I update the password to privilege level 15 and secret type 5?
Thanks!
Solved! Go to Solution.
07-27-2015 12:16 AM
kiMaMi:~ karsten$ openssl passwd -salt `openssl rand -base64 3` -1 abc123 $1$AaDc$0bu4m90WnrseeF0Eaj9uo/
inet-home#sh run | i username TESTUSER inet-home# inet-home#conf t Enter configuration commands, one per line. End with CNTL/Z. inet-home(config)#username TESTUSER secret 5 $1$AaDc$0bu4m90WnrseeF0Eaj9uo/
kiMaMi:~ karsten$ ssh -l TESTUSER 10.255.251.254 Password: inet-home>sh users | i TESTUSER * 3 vty 1 TESTUSER idle 00:00:00 10.255.251.118 inet-home>
07-24-2015 02:13 AM
Hi you need an already encrypted password for it be hidden and to be accepted as secret 5
Leave out the 5 it will encrypt your password as its secret and you can set service password-encryption
07-24-2015 03:18 AM
Thanks, Mark, do you know how to using the openssl Tool to Generate a Type 5 Password in the Cisco switch? I don't know if there is a shell that can execute the "openssl" tool.
07-24-2015 03:21 AM
By the way, I found the way to generate the secret.
Please see the details:
2) Copy the resulting Type 5 password (which is $1$M/wf$iqBnv/g3GuVUsCpWcDFS20 in the preceding example).
1) The openssl tool can generate a Type 5 password when using a specific set of command-line arguments, as follows:
openssl passwd -salt `openssl rand -base64 3` -1 PLAINTEXT_PASSWORD
Administrators must replace the string PLAINTEXT_PASSWORD with the appropriate plaintext password. The following example uses the string Th1z#1s+53kri7 as the plaintext password:
hostname$ openssl passwd -salt `openssl rand -base64 3` -1 Th1z#1s+53kri7 $1$dxVt$FSJmj1O6JUZdbUjxZkIuD.
2) Copy the resulting Type 5 password (which is $1$dxVt$FSJmj1O6JUZdbUjxZkIuD. in the preceding example).
Note: Depending on the characters in the plaintext password, you may need to enclose it between quotes.
http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20130318-type4
But how can I use openssl in the cisco switches/routers to generate it?
Thanks!
07-24-2015 03:56 AM
Hi
Maybe i am wrong here someone else will be able to clarify i did not think the actual router could generate type 4 sha or type 5 md5 the way openssl can , obviously it will encrypt it with md5 or sha if you just use secret without 5 or 4 but i think it just gives you the option to put in your own external encrypted password, the Cisco router uses md5 encryption itself once secret is set on its own without a number
07-24-2015 04:36 AM
It's openSSL that can generate hashes (not encryption) that is compatible with Cisco IOS. So the above example is perfectly valid. I used it when I configured routers through Teamviewer-sessions, but the user of the onsite-PC should not see the actual password.
07-26-2015 08:58 PM
Thanks, Karsten.
You mean I generate the MD5 hashes by openSSL on a linux host and then can use this string "$1$xxxxxxxxxxxxxxxxxxx" on the Cisco IOS?
For example: I generated the string by openssl on a Redhat linux server: $1$M/wf$iqBnv/g3GuVUsCpWcDFS20, the original password is abc123
Then, I type it into Cisco 6509 switch:
username iiadmin privilege 15 secret 5 $1$M/wf$iqBnv/g3GuVUsCpWcDFS20
and I can login to it by the username: iiadmin and password abc123
RIght?
07-27-2015 12:16 AM
kiMaMi:~ karsten$ openssl passwd -salt `openssl rand -base64 3` -1 abc123 $1$AaDc$0bu4m90WnrseeF0Eaj9uo/
inet-home#sh run | i username TESTUSER inet-home# inet-home#conf t Enter configuration commands, one per line. End with CNTL/Z. inet-home(config)#username TESTUSER secret 5 $1$AaDc$0bu4m90WnrseeF0Eaj9uo/
kiMaMi:~ karsten$ ssh -l TESTUSER 10.255.251.254 Password: inet-home>sh users | i TESTUSER * 3 vty 1 TESTUSER idle 00:00:00 10.255.251.118 inet-home>
07-27-2015 01:25 AM
Got it, thanks a lot. Cheer!
07-05-2019 01:58 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide