04-22-2015 12:02 AM - edited 03-07-2019 11:40 PM
Hi all,
Below is my running config ->
line con 0
exec-timeout 0 0
privilege level 15
password cisco
logging synchronous
login
q1) how come every time i will enter privilege mode once i enter the console password ? can I choose to enter normal user mode instead ? is it via setting the privilege level ?
q2) I understand that for enable privilege mode, i can set secret/encrypted password for the enabling.
R1#config t
R1(config)#enable secret cisco
Where does the encryption take place ? is it only to just md5 the password text in the configuration file only ? if i were to sniff the password over the network, i will still see clear text "cisco" ?
q3) Why can't i do so (setting secret/encrypted) password for line (vty,con etc) login ?
q4) for q3, after google, i realize i need to issue service password-Encryption
a) does this command "encrypt" again my current enable secret password ? -- i think its no cause i see no changes in show run
b) why do we have to issue this command to encrypt my line,vty etc password ? why can't we use the "secret" command ?
c) what the different between this "service password-Encryption" and "secret" ? why do we need to have both ?
q5) is all the service password-Encryption, enable secret etc, just basically hashing or encrypting the actual text password in the config file. is there anyway of encryption over the network ?
Thanks,
Noob
Solved! Go to Solution.
04-22-2015 05:25 AM
In order to prevent the console going straight into enable mode, you need to remove the following line:
line con 0
exec-timeout 0 0
privilege level 15
password cisco
logging synchronous
login
Privilege level 15 takes you straight into enable mode.
In regards to the other questions. I would have a little read of this:
http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfpass.html
04-23-2015 03:09 AM
a) why vty, console line cannot have hashed password like enable secret ? -- the only way to use secret is to have login local and create local username with secret password
Because they can't, its as simple as that really.
Like you said, the only way to protect the password using an MD5 hash is to create a username and password and ensure you use the secret command like:
username admin secret password
b) is all the service password-Encryption, enable secret etc, just basically hashing or encrypting the actual text password in the config file. is there anyway of encryption over the network ?
Its just using an MD5 hash
Where its encrypted or not over the network will depend on whether you use Telnet or SSH to connect to the switch.
Telnet is plain text so even using an MD5 password will still be visible if someone were to packet capture your telnet session.
SSH in encrypted so use this whenever possible.
04-22-2015 02:31 AM
Hi
We see your posts... sometimes there are delays before they appear. Don't sweat it.
Aaron
04-22-2015 05:25 AM
In order to prevent the console going straight into enable mode, you need to remove the following line:
line con 0
exec-timeout 0 0
privilege level 15
password cisco
logging synchronous
login
Privilege level 15 takes you straight into enable mode.
In regards to the other questions. I would have a little read of this:
http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfpass.html
04-22-2015 12:22 PM
Hi Devil,
Thanks for the reply.
Read through the documentation, but it still doesn't directly answer the following questions below
a) why vty, console line cannot have hashed password like enable secret ? -- the only way to use secret is to have login local and create local username with secret password
b) is all the service password-Encryption, enable secret etc, just basically hashing or encrypting the actual text password in the config file. is there anyway of encryption over the network ?
I mean with all these encryption and hashing, when i connect over to the terminal using telnet, and i enter clear text password, these aint encrypted. what should we do ?
Regards,
Noob
04-23-2015 03:09 AM
a) why vty, console line cannot have hashed password like enable secret ? -- the only way to use secret is to have login local and create local username with secret password
Because they can't, its as simple as that really.
Like you said, the only way to protect the password using an MD5 hash is to create a username and password and ensure you use the secret command like:
username admin secret password
b) is all the service password-Encryption, enable secret etc, just basically hashing or encrypting the actual text password in the config file. is there anyway of encryption over the network ?
Its just using an MD5 hash
Where its encrypted or not over the network will depend on whether you use Telnet or SSH to connect to the switch.
Telnet is plain text so even using an MD5 password will still be visible if someone were to packet capture your telnet session.
SSH in encrypted so use this whenever possible.
04-23-2015 12:10 PM
thank you devil.
and thanks aaron!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide