Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
587
Views
3
Helpful
4
Replies

Not possible anymore to copy/paste a preencrypted (Type 9) user/secret

Andreas Wittemann
Beginner
Beginner

‎04-27-2023 07:07 AM

Hi guys,

i´m a bit confused, what worked like a charm for many many years seems not to work for me anymore, actually the first time.

I put in a username/secret like follows:

username blabla privilege 15 secret <Cleartextpassword>

Afterwards i take the line from the running config

username blabla privilege 15 secret 9 fsfsfunnyhashedpasswordnln3452

and try to copy it to another routers config, which always worked for me.

Today: I end up in a line 

% Incomplete command.

Or, when i use to generate that line which i want to copy using

username blabla privilege 15 algorithm-type scrypt secret <Cleartextpassword>

after pasting (the encrypted config line) to another router with THAT message:

ERROR: The secret you entered is not a valid encrypted secret.

To enter an UNENCRYPTED secret, do not specify type 9 encryption.

When you properly enter an UNENCRYPTED secret, it will be encrypted.

 

I´m aware of the concept of hashes and salts, but should it really be not possible anymore to generate such user/secret-lines on one Cisco box next to you for the colleagues and paste these handful of lines to other Cisco-devices? We cannot have an AAA-server for this purpose, some of these customers don´t even have more than a PC behind the routers. So, simply a local personalized login for us staff is the weapon of choice.

Does anybody know a workaround for this problem?

BTW:

I tried on various switches with 15.x and Cisco-routers ISR4k with IOS-XE 16.x and 17.x ...everywhere the same game.

Thanks in advance for any input!

Kind regards,

Andreas

1 person had this problem
Labels:
4 Replies 4

thomas
Cisco Employee
Cisco Employee

‎05-07-2023 10:18 AM

I suggest moving your question to a IOS switch or router forum, not ISE, since this is clearly an IOS CLI-specific question.

Andreas Wittemann
Beginner
Beginner
In response to thomas

‎05-08-2023 12:20 AM

Many thanks, Thomas, my fault when creating that post in sort of a hurry

0 Helpful

Flavio Miranda
VIP Mentor VIP Mentor
VIP Mentor

‎05-07-2023 11:32 AM

Hi

 There are many similar posts here. It seems Cisco change some security policy related to it. And if we think it through, it make sense. Be able to replicate a password between device is a security risk. 

Andreas Wittemann
Beginner
Beginner
In response to Flavio Miranda

‎05-08-2023 12:27 AM

I agree to you and completely understand that concern, but not being able to simply copy and paste a preencrypted/hashed line with a secret is also not too helpful in certain cases.

Just think about it, i would have to let a certain colleague whcih should help us in monitoring, troubleshooting, or simply a new teammember which needs access on a device locally (without sing AAA, radius or whatever, because sometimes routers and switches are deployed in a very small environment) on all the devices PER device.

This is a bit overcomplicated, instead of having a set of config lines as a (let´s say) default when configuring a new device or simply add it via script runs with ansible.

So, i am still searching a solution for this.

Not sure if it will do the trick, didn´t try jet, but maybe i do the same on a old device (md5) and while pasting it on a new device it gets automatically "leveled up" as type 9

Let´s see

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents