Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1166
Views
5
Helpful
9
Replies

Got an error when I am going to update password on cisco switches.

Go to solution
tanjia1128
Level 1
Level 1

‎07-24-2015 01:52 AM - edited ‎03-08-2019 01:05 AM

I am going to change the password to a new one, but I got the issue as below:

test(config)#username test privilege 15 secret 5 tanjia
ERROR: The secret you entered is not a valid encrypted secret.
To enter an UNENCRYPTED secret, do not specify type 5 encryption.
When you properly enter an UNENCRYPTED secret, it will be encrypted.

How can I update the password to privilege level 15 and secret type 5?

 

Thanks!

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to tanjia1128

‎07-27-2015 12:16 AM 

kiMaMi:~ karsten$ openssl passwd -salt `openssl rand -base64 3` -1 abc123
$1$AaDc$0bu4m90WnrseeF0Eaj9uo/

 

inet-home#sh run | i username TESTUSER
inet-home#
inet-home#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
inet-home(config)#username TESTUSER secret 5 $1$AaDc$0bu4m90WnrseeF0Eaj9uo/

 

kiMaMi:~ karsten$ ssh -l TESTUSER 10.255.251.254

Password:

inet-home>sh users | i TESTUSER
*  3 vty 1     TESTUSER   idle                 00:00:00 10.255.251.118
inet-home>

View solution in original post

9 Replies 9

Go to solution
Mark Malone
VIP Alumni
VIP Alumni

‎07-24-2015 02:13 AM

Hi you need an already encrypted password for it be hidden and to be accepted as secret 5

Leave out the 5 it will encrypt your password as its secret and you can set service password-encryption

0 Helpful

Go to solution
tanjia1128
Level 1
Level 1
In response to Mark Malone

‎07-24-2015 03:18 AM

Thanks, Mark,  do you know how to using the openssl Tool to Generate a Type 5 Password in the Cisco switch?  I don't know if there is a shell that can execute the "openssl" tool.

 

 

0 Helpful

Go to solution
tanjia1128
Level 1
Level 1
In response to tanjia1128

‎07-24-2015 03:21 AM

By the way, I found the way to generate the secret.

Please see the details:

2) Copy the resulting Type 5 password (which is $1$M/wf$iqBnv/g3GuVUsCpWcDFS20 in the preceding example).

Using the openssl Tool to Generate a Type 5 Password

1) The openssl tool can generate a Type 5 password when using a specific set of command-line arguments, as follows:

openssl passwd -salt `openssl rand -base64 3` -1 PLAINTEXT_PASSWORD

Administrators must replace the string PLAINTEXT_PASSWORD with the appropriate plaintext password. The following example uses the string Th1z#1s+53kri7 as the plaintext password:

hostname$ openssl passwd -salt `openssl rand -base64 3` -1 Th1z#1s+53kri7
$1$dxVt$FSJmj1O6JUZdbUjxZkIuD.

2) Copy the resulting Type 5 password (which is $1$dxVt$FSJmj1O6JUZdbUjxZkIuD. in the preceding example).

Note: Depending on the characters in the plaintext password, you may need to enclose it between quotes.

 

http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20130318-type4

 

But how can I use openssl in the cisco switches/routers to generate it?

 

Thanks!

0 Helpful

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to tanjia1128

‎07-24-2015 03:56 AM

Hi

Maybe i am wrong here someone else will be able to clarify i did not think the actual router could generate type 4 sha or type 5 md5 the way openssl can , obviously it will encrypt it with md5 or sha  if you just use secret without 5 or 4 but i think it just gives you the option to put in your own external encrypted password, the Cisco router uses md5 encryption itself once secret is set on its own without a number

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Mark Malone

‎07-24-2015 04:36 AM

It's openSSL that can generate hashes (not encryption) that is compatible with Cisco IOS. So the above example is perfectly valid. I used it when I configured routers through Teamviewer-sessions, but the user of the onsite-PC should not see the actual password.

 

0 Helpful

Go to solution
tanjia1128
Level 1
Level 1
In response to Karsten Iwen

‎07-26-2015 08:58 PM

Thanks, Karsten.

You mean I generate the MD5 hashes by openSSL on a linux host and then can use this string "$1$xxxxxxxxxxxxxxxxxxx" on the Cisco IOS?

For example:  I generated the string by openssl on a Redhat linux server: $1$M/wf$iqBnv/g3GuVUsCpWcDFS20, the original password is abc123

Then, I type it into Cisco 6509 switch:

username iiadmin privilege 15 secret 5  $1$M/wf$iqBnv/g3GuVUsCpWcDFS20

and I can login to it by the username: iiadmin and password abc123 

 

RIght?

 

 

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to tanjia1128

‎07-27-2015 12:16 AM 

kiMaMi:~ karsten$ openssl passwd -salt `openssl rand -base64 3` -1 abc123
$1$AaDc$0bu4m90WnrseeF0Eaj9uo/

 

inet-home#sh run | i username TESTUSER
inet-home#
inet-home#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
inet-home(config)#username TESTUSER secret 5 $1$AaDc$0bu4m90WnrseeF0Eaj9uo/

 

kiMaMi:~ karsten$ ssh -l TESTUSER 10.255.251.254

Password:

inet-home>sh users | i TESTUSER
*  3 vty 1     TESTUSER   idle                 00:00:00 10.255.251.118
inet-home>

Go to solution
tanjia1128
Level 1
Level 1
In response to Karsten Iwen

‎07-27-2015 01:25 AM

Got it, thanks a lot. Cheer!

0 Helpful

Go to solution
Andre Castro
Level 1
Level 1
In response to Karsten Iwen

‎07-05-2019 01:58 PM

Thanks Karsten! This helped me a lot as well.

Question: how does cisco ios parses the generated string? e.g. why it won´t accept a plain md5 hashed string?

cheers
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card