hide and setup console password

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-14-2015 03:12 AM - edited 03-08-2019 02:42 AM
I have following in my config file
enable password 12345
line con 0
exec-timeout 0 0
line vty 0 4
password 7 12345
login local
length 0
transport input telnet
line vty 5 15
password 7 12345
login local
length 0
transport input telnet
!
password is 12345, so how to hide enable password, line vty 04 and line vty 5 15 password?
how to setup console password?
- Labels:
-
Other Switching
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-16-2015 01:06 AM
Core Issue
Proper passwords protect the router from unauthorized access.
Resolution
Follow these steps to configure console passwords.
Note: Before performing this test, ensure that you have an alternate connection into the router, such as Telnet or dial-in, in case there is a problem logging back in to the router.
- From the privileged EXEC (enable) prompt, enter configuration mode ((config)) and then switch to line configuration mode ((config-line), by issuing the following commands:
Note: Notice that the prompt changes to reflect the current mode.
router#conf t
!--- Enter configuration commands, one per line. End with CNTL/Z.
router(config)#line con 0
router(config-line)#
2. Configure the password, and enable password checking at login.
router(config-line)#password <password>
router(config-line)#login
3. Exit configuration mode.
router(config-line)#end
router#
%SYS-5-CONFIG_I: Configured from console by console
Note: Do not save your configuration changes until your ability to log in has been verified.
4. Verify the configuration. Examine the configuration of the router to make sure that the commands have been properly entered by issuing the show running-config command. To test the configuration, log off the console with the exit command and log in again, using the configured password to access the router.
router#exit
router con0 is now available
Press RETURN to get started.
5. Save your configuration.
router#write memory
Perform these steps to configure Telnet passwords.
Note: Before performing this test, ensure that you have an alternate connection into the router, such as console or dial-in, in case there is a problem logging back in to the router.
- From the privileged EXEC (or enable) prompt, enter configuration mode (or (config)) and then switch to line configuration mode ((config-line)), by issuing the following commands:
Note: Notice that the prompt changes to reflect the current mode.
router#conf t
!--- Enter configuration commands, one per line. End with CNTL/Z.
router(config)#line vty 0 4
router(config-line)# - Configure the password, and enable password checking at login.
router(config-line)#password <password>
router(config-line)#login - Exit configuration mode.
router(config-line)#end
router#
%SYS-5-CONFIG_I: Configured from console by consoleNote: Do not save your configuration changes until your ability to log in has been verified.
- Verify the configuration. Examine the configuration of the router to make sure that the commands have been properly entered, by issuing the show running-config command. Test the configuration by making a Telnet connection to the router. This can be done by connecting from a different host on the network, but you can also do so from the router itself by Telnetting to the IP address of any interface on the router that is in an up/up state as seen in the output of the show interfaces command.
router#telnet <ip address>
5. Save your configuration.
router#write memory
Follow these steps to configure Auxiliary (AUX) port passwords.
Note: before performing this test, ensure that you have an alternate connection into the router, such as console or Telnet, in case there is a problem logging back in to the router.
- From the privileged EXEC (or enable) prompt, enter configuration mode ((config)) and then switch to line configuration mode ((config-line)), by issuing the following commands:
Note: Notice that the prompt changes to reflect the current mode.
router#conf t
!--- Enter configuration commands, one per line. End with CNTL/Z.
router(config)#line aux 0
router(config-line)# - Configure the password, and enable password checking at login.
router(config-line)#password <password>
router(config-line)#login - Exit configuration mode.
router(config-line)#end
Note: Do not save your configuration changes until your ability to log in has been verified.
router#
%SYS-5-CONFIG_I: Configured from console by console - Verify the configuration. Examine the configuration of the router to make sure that the commands have been properly entered by issuing the show running-config command. Test the configuration by making an inbound or outbound connection to the line. For specific information on configuring async lines for modem connections, refer to the Modem-Router Connection Guide.
- Save your configuration.
router#write memory
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-21-2015 07:14 PM
then in running config, my console password is in plain text, I want console passowrd to be secret, how to do?
what's the difference between "line con 0" and "line vty 0 4"?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-21-2015 07:58 PM
Hello,
Set this commend on your router.
Config terminal
service password-encryption
Simply, line con 0 is for connecting to router by console cable and softwares such as windows hyper terminal.
line vty 0 4 for connecting to router by Telnet or SSH.
Hope it helps,
Masoud
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-08-2015 01:38 AM
no, if using service password-encryption, it still can be cracked if I have access to running config, I want a secrete console password, how to do?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-08-2015 04:09 AM
Hi. This is what I would do.
Use AAA and the local database to authenticate the console access.
aaa new-model
aaa authentication login default local
When you add the local username and password. do it with secret, not password, eg.
username <user> privilege 15 secret <password>
This will give you the protection of hiding the passwords
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-08-2015 04:16 AM
Sorry. I forgot this config :-)
line con 0
login authentication default
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-16-2015 01:07 AM
Setting the Enable, Console, and vty Passwords on Router/SW
R1>enable R1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)#enable password falcons R1(config)#line con 0 R1(config-line)#password falcons R1(config-line)#exit R1(config)#line vty 0 4 R1(config-line)#password falcons R1(config-line)#^Z R1# %SYS-5-CONFIG_I: Configured from console by console R1#copy running-config startup-config Building configuration... [OK] R1#
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-22-2015 02:30 PM
As I read the original post it seems to me that the essential question is how to hide the passwords. I agree with Masoud that the real answer here is service password-encryption.
I would like to point out one other aspec of the original post. In the original post it has this
password 7 12345
and tells us that the password is 12345. That is not correct. The "7" in that line tells the router that the password in encrypted and what shows in the config is the cryptographic repressentation of the password and not the password itself. So 12345 is the crypto text representing the password and not the password itself.
HTH
Rick
Rick
