
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-12-2022 02:12 AM
Hello,
I've already got SSH access configured on my 9200L and it gave me a prompt for an admin user straight after when trying to login, however I didn't know the password. I've since created a user (config)#username XXX password XXX however this appears in unencrypted format. I've tried different command options to encrypt password but these either give an ambiguous error or encrypt everything after the password prompt.
I've read another thread on here saying to use secret instead of password command but the SSH prompt doesnt allow me to login with the secret and only gives me a password prompt.
I am fairly new to this level of programming so I'm probably missing something very obvious or silly, so some help on the matter would be greatly appreciated. I could leave the password in cleartext on the config, but I want to do it properly.
Solved! Go to Solution.
- Labels:
-
Catalyst 9000
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-12-2022 04:53 AM
0 is clear, you need to use anything above like you said 7 to encrypt, check below one help better :
https://learningnetwork.cisco.com/s/article/cisco-routers-password-types
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-12-2022 03:57 AM
did you try "service password-encryption"
Which 9200 IOS version do you have?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-12-2022 04:07 AM
It's IOS 16.12
How would you integrate command, or is it a separate command you apply to the switch that automatically encrypts all level 0 passwords?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-12-2022 04:21 AM
The command above should l encrypt all password. Did it work?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-12-2022 04:35 AM
Yes this appears to have worked, sure I tried this before but it didn't work, none the less I am happy it has now. The username password is encrypted to level 7. I think this command may have also encrypted another password that I think was in cleartext level 0 before.
Exactly what affect does applying this command have on any level 0 passwords? Does it simply encrypt any level 0 passwords found to level 7? I've read the level 7 encryption is quite easily crackable, is there any way to apply this command to level 9 instead?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-12-2022 04:42 AM - edited 04-12-2022 04:42 AM
This command is as it is, you can´t execute it differently.
What you should do is create your password properly.
Device> enable
Device# configure terminal
Device(config)# enable password level 12 example123
or
Device(config)# enable secret 9 $9$sMLBsTFXLnnHTk$0L82
Device(config)# service password-encryption
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-12-2022 04:53 AM
Thanks for your explanation above. I have properly setup enable secret and password to protect access to privilledged exec. What I am trying to setup is a user to login to SSH with as I tried the enable secret with username admin and root and it didn't work.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-12-2022 04:53 AM
0 is clear, you need to use anything above like you said 7 to encrypt, check below one help better :
https://learningnetwork.cisco.com/s/article/cisco-routers-password-types

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-12-2022 04:59 AM
I think I tried to access the above link before and it didnt work properly, im pleased to say this one did. So how would you execute the type 9 password with a username for purposes of logging in to SSH?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-12-2022 05:08 AM
I've just tried the command mentioned in the link you sent- I skimmed over the bit I needed of course (doh).
R1(config)# username [user] algorithm-type scrypt secret [pw]
This is what I submitted and it appears to have hashed the password to scrypt. Done a show run and the password shows as secret 9 followed by encrypted password.
I should be able to do this to the enable password as well yes?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-12-2022 06:06 AM
I should be able to do this to the enable password as well yes?
no

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-12-2022 06:09 AM
So the enable password for virtual terminal can only be encrypted to type 7?
I've been looking at how to disable telnet, from what Ive read enable SSH should automatically disable it but it's not. Could you advise what commands required?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-12-2022 05:43 AM
Since type 7 password as used for virtual terminal is reversible and easily crackable is it possible to use a higher encryption for this? I'm thinking about a telnet connection into a switch and whilst its not good practice to use it anymore I also dont want to disable it. Is the virtual terminal password left as type 7 since the enable secret can be encrypted to level 12 and you need both anyway?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-12-2022 06:13 AM
Not sure what IOS XE running here
try :

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-12-2022 06:21 AM
it's running 16.12
