cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco Community Designated VIP Class of 2020

7391
Views
10
Helpful
5
Replies
Contributor

line console password vs privilege mode enable secret

Hi all,

 

Below is my running config ->
line con 0
exec-timeout 0 0
privilege level 15
password cisco
logging synchronous
login

 

q1) how come every time i will enter privilege mode once i enter the console password ? can I choose to enter normal user mode instead ? is it via setting the privilege level ?


q2) I understand that for enable privilege mode, i can set secret/encrypted password for the enabling.

R1#config t
R1(config)#enable secret cisco

Where does the encryption take place ? is it only to just md5 the password text in the configuration file only ?  if i were to sniff the password over the network, i will still see clear text "cisco" ?


q3) Why can't i do so (setting secret/encrypted) password for line (vty,con etc) login ?


q4) for q3, after google, i realize i need to issue service password-Encryption

a) does this command "encrypt" again my current enable secret password ? -- i think its no cause i see no changes in show run

b) why do we have to issue this command to encrypt my line,vty etc password ? why can't we use the "secret" command ?

c) what the different between this "service password-Encryption" and "secret" ?  why do we need to have both ?


q5) is all the service password-Encryption, enable secret etc, just basically hashing or encrypting the actual text password in the config file. is there anyway of encryption over the network ?

 

Thanks,
Noob

2 ACCEPTED SOLUTIONS

Accepted Solutions
Rising star

In order to prevent the

In order to prevent the console going straight into enable mode, you need to remove the following line:

line con 0
exec-timeout 0 0
privilege level 15
password cisco
logging synchronous
login

​Privilege level 15 takes you straight into enable mode.

In regards to the other questions. I would have a little read of this:

http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfpass.html 

 

View solution in original post

Rising star

a) why vty, console line

a) why vty, console line cannot have hashed password like enable secret ? -- the only way to use secret is to have login local and create local username with secret password

Because they can't, its as simple as that really.
Like you said, the only way to protect the password using an MD5 hash is to create a username and password and ensure you use the secret command like:

username admin secret password

b) is all the service password-Encryption, enable secret etc, just basically hashing or encrypting the actual text password in the config file. is there anyway of encryption over the network ? 

Its just using an MD5 hash
Where its encrypted or not over the network will depend on whether you use Telnet or SSH to connect to the switch.
Telnet is plain text so even using an MD5 password will still be visible if someone were to packet capture your telnet session.
SSH in encrypted so use this whenever possible. 

View solution in original post

5 REPLIES 5

HiWe see your posts...

Hi

We see your posts... sometimes there are delays before they appear. Don't sweat it.

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!
Rising star

In order to prevent the

In order to prevent the console going straight into enable mode, you need to remove the following line:

line con 0
exec-timeout 0 0
privilege level 15
password cisco
logging synchronous
login

​Privilege level 15 takes you straight into enable mode.

In regards to the other questions. I would have a little read of this:

http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfpass.html 

 

View solution in original post

Contributor

Hi Devil, Thanks for the

Hi Devil,

 

Thanks for the reply.

Read through the documentation, but it still doesn't directly answer the following questions below

a) why vty, console line cannot have hashed password like enable secret ? -- the only way to use secret is to have login local and create local username with secret password

 

b) is all the service password-Encryption, enable secret etc, just basically hashing or encrypting the actual text password in the config file. is there anyway of encryption over the network ? 

I mean with all these encryption and hashing, when i connect over to the terminal using telnet, and i enter clear text password, these aint encrypted. what should we do ?

 

Regards,

Noob

 

Rising star

a) why vty, console line

a) why vty, console line cannot have hashed password like enable secret ? -- the only way to use secret is to have login local and create local username with secret password

Because they can't, its as simple as that really.
Like you said, the only way to protect the password using an MD5 hash is to create a username and password and ensure you use the secret command like:

username admin secret password

b) is all the service password-Encryption, enable secret etc, just basically hashing or encrypting the actual text password in the config file. is there anyway of encryption over the network ? 

Its just using an MD5 hash
Where its encrypted or not over the network will depend on whether you use Telnet or SSH to connect to the switch.
Telnet is plain text so even using an MD5 password will still be visible if someone were to packet capture your telnet session.
SSH in encrypted so use this whenever possible. 

View solution in original post

Contributor

thank you devil. and thanks

thank you devil.

 

and thanks aaron!

CreatePlease to create content
Content for Community-Ad