Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
57016
Views
15
Helpful
8
Replies

hide and setup console password

petercinvest
Level 1
Level 1

‎11-14-2015 03:12 AM - edited ‎03-08-2019 02:42 AM

I have following in my config file

enable password 12345

line con 0
exec-timeout 0 0
line vty 0 4
password 7 12345
login local
length 0
transport input telnet
line vty 5 15
password 7 12345
login local
length 0
transport input telnet
!

password is 12345, so how to hide enable password, line vty 04 and line vty 5 15 password?

how to setup console password?

3 people had this problem
Labels:
0 Helpful
8 Replies 8

InayathUlla Sharieff
Cisco Employee
Cisco Employee

‎11-16-2015 01:06 AM

Core Issue

Proper passwords protect the router from unauthorized access.

Resolution

Follow these steps to configure console passwords.

Note: Before performing this test, ensure that you have an alternate connection into the router, such as Telnet or dial-in, in case there is a problem logging back in to the router.

  1. From the privileged EXEC (enable) prompt, enter configuration mode ((config)) and then switch to line configuration mode ((config-line), by issuing the following commands:

    Note: Notice that the prompt changes to reflect the current mode.

    router#conf t
    !--- Enter configuration commands, one per line. End with CNTL/Z.
    router(config)#line con 0
    router(config-line)#

     2. Configure the password, and enable password checking at login.

router(config-line)#password <password>
router(config-line)#login

     3. Exit configuration mode.

router(config-line)#end
router#
%SYS-5-CONFIG_I: Configured from console by console

     Note: Do not save your configuration changes until your ability to log in has been verified.

     4. Verify the configuration. Examine the configuration of the router to make sure that the commands have been properly entered by issuing the show running-config command. To test the configuration, log off the console with the exit command and log in again, using the configured password to access the router.

router#exit
router con0 is now available
Press RETURN to get started.

     5. Save your configuration.

router#write memory

Perform these steps to configure Telnet passwords.

Note: Before performing this test, ensure that you have an alternate connection into the router, such as console or dial-in, in case there is a problem logging back in to the router.

  1. From the privileged EXEC (or enable) prompt, enter configuration      mode (or (config)) and then switch to line configuration mode ((config-line)), by issuing the following commands:

    Note: Notice that the prompt changes to reflect the current mode.

    router#conf t
    !--- Enter configuration commands, one per line. End with CNTL/Z.
    router(config)#line vty 0 4
    router(config-line)#
  2. Configure the password, and enable password checking at login. 
    router(config-line)#password <password>
    router(config-line)#login
  3. Exit configuration mode. 
    router(config-line)#end
    router#
    %SYS-5-CONFIG_I: Configured from console by console

    Note: Do not save your configuration changes until your ability to log in has been verified.

  4. Verify the configuration. Examine the configuration of the router to make sure that the commands have been properly entered, by issuing the show running-config command. Test the configuration by making a Telnet connection to the router. This can be done by connecting from a different host on the network, but you can also do so from the router itself by Telnetting to the IP address of any interface on the router that is in an up/up state as seen in the output of the show interfaces command.
router#telnet <ip address>

   5. Save your configuration.

router#write memory

Follow these steps to configure Auxiliary (AUX) port passwords.

Note: before performing this test, ensure that you have an alternate connection into the router, such as console or Telnet, in case there is a problem logging back in to the router.

  1. From the privileged EXEC (or enable) prompt, enter configuration mode ((config)) and then switch to line configuration mode ((config-line)), by issuing the following commands:

    Note: Notice that the prompt changes to reflect the current mode.

    router#conf t
    !--- Enter configuration commands, one per line. End with CNTL/Z.
    router(config)#line aux 0
    router(config-line)#
  2. Configure the password, and enable password checking at login. 
    router(config-line)#password <password>
    router(config-line)#login
  3. Exit configuration mode. 
    router(config-line)#end
    router#
    %SYS-5-CONFIG_I: Configured from console by console
    Note: Do not save your configuration changes until your ability to log in has been verified.
  4. Verify the configuration. Examine the configuration of the router to make sure that the commands have been properly entered by issuing the show running-config command. Test the configuration by making an inbound or outbound connection      to the line. For specific information on configuring async lines for modem connections, refer to the Modem-Router Connection Guide.
  5. Save your configuration.
router#write memory
0 Helpful

petercinvest
Level 1
Level 1
In response to InayathUlla Sharieff

‎11-21-2015 07:14 PM

then in running config, my console password is in plain text, I want console passowrd to be secret, how to do?

what's the difference between "line con 0" and "line vty 0 4"?

0 Helpful

Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to petercinvest

‎11-21-2015 07:58 PM

Hello,

Set this commend on your router.

Config terminal

service password-encryption

Simply, line con 0 is for connecting to router by console cable and softwares such as windows hyper terminal.

line vty 0 4 for connecting to router by Telnet or SSH.

Hope it helps,

Masoud

petercinvest
Level 1
Level 1
In response to Masoud Pourshabanian

‎12-08-2015 01:38 AM

no, if using service password-encryption, it still can be cracked if I have access to running config, I want a secrete console password, how to do?

0 Helpful

Andre Neethling
Level 4
Level 4
In response to petercinvest

‎12-08-2015 04:09 AM

Hi. This is what I would do.

Use AAA and the local database to authenticate the console access.

aaa new-model

aaa authentication login default local

When you add the local username and password. do it with secret, not password, eg.

username <user> privilege 15 secret <password>

This will give you the protection of hiding the passwords

Andre Neethling
Level 4
Level 4
In response to Andre Neethling

‎12-08-2015 04:16 AM

Sorry. I forgot this config :-)

line con 0

login authentication default

0 Helpful

InayathUlla Sharieff
Cisco Employee
Cisco Employee

‎11-16-2015 01:07 AM

Setting the Enable, Console, and vty Passwords on Router/SW

R1>enable
R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#enable password falcons
R1(config)#line con 0
R1(config-line)#password falcons
R1(config-line)#exit
R1(config)#line vty 0 4
R1(config-line)#password falcons
R1(config-line)#^Z
R1#
%SYS-5-CONFIG_I: Configured from console by console
R1#copy running-config startup-config
Building configuration...
[OK]
R1#
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to InayathUlla Sharieff

‎11-22-2015 02:30 PM

As I read the original post it seems to me that the essential question is how to hide the passwords. I agree with Masoud that the real answer here is service password-encryption.

I would like to point out one other aspec of the original post. In the original post it has this

password 7 12345

and tells us that the password is 12345. That is not correct. The "7" in that line tells the router that the password in encrypted and what shows in the config is the cryptographic repressentation of the password and not the password itself. So 12345 is the crypto text representing the password and not the password itself.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card