cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Bookmark
|
Subscribe
|
9015
Views
1
Helpful
19
Replies

Setting up SSH user with encrypted password

athomas1
Level 1
Level 1

Hello, 

I've already got SSH access configured on my 9200L and it gave me a prompt for an admin user straight after when trying to login, however I didn't know the password. I've since created a user (config)#username XXX password XXX however this appears in unencrypted format. I've tried different command options to encrypt password but these either give an ambiguous error or encrypt everything after the password prompt.

I've read another thread on here saying to use secret instead of password command but the SSH prompt doesnt allow me to login with the secret and only gives me a password prompt.

 

I am fairly new to this level of programming so I'm probably missing something very obvious or silly, so some help on the matter would be greatly appreciated. I could leave the password in cleartext on the config, but I want to do it properly.

1 Accepted Solution

Accepted Solutions

0 is clear, you need to use anything above like you said 7 to encrypt, check below one help better :

 

https://learningnetwork.cisco.com/s/article/cisco-routers-password-types

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

19 Replies 19

did you try "service password-encryption"

 

Which 9200 IOS version do you have?

It's IOS 16.12

 

How would you integrate command, or is it a separate command you apply to the switch that automatically encrypts all level 0 passwords?

The command above should l encrypt all password.  Did it work?

Yes this appears to have worked, sure I tried this before but it didn't work, none the less I am happy it has now. The username password is encrypted to level 7. I think this command may have also encrypted another password that I think was in cleartext level 0 before. 

Exactly what affect does applying this command have on any level 0 passwords? Does it simply encrypt any level 0 passwords found to level 7? I've read the level 7 encryption is quite easily crackable, is there any way to apply this command to level 9 instead?

This command is as it is, you can´t execute it differently.

What you should do is create your password properly.

 

Device> enable
Device# configure terminal
Device(config)# enable password level 12 example123

or

Device(config)# enable secret 9 $9$sMLBsTFXLnnHTk$0L82

Device(config)# service password-encryption

Thanks for your explanation above. I have properly setup enable secret and password to protect access to privilledged exec. What I am trying to setup is a user to login to SSH with as I tried the enable secret with username admin and root and it didn't work.

0 is clear, you need to use anything above like you said 7 to encrypt, check below one help better :

 

https://learningnetwork.cisco.com/s/article/cisco-routers-password-types

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

I think I tried to access the above link before and it didnt work properly, im pleased to say this one did. So how would you execute the type 9 password with a username for purposes of logging in to SSH?

I've just tried the command mentioned in the link you sent- I skimmed over the bit I needed of course (doh).

R1(config)# username [user] algorithm-type scrypt secret [pw]

This is what I submitted and it appears to have hashed the password to scrypt. Done a show run and the password shows as secret 9 followed by encrypted password.

 

I should be able to do this to the enable password as well yes?

I should be able to do this to the enable password as well yes?

no

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

So the enable password for virtual terminal can only be encrypted to type 7?

I've been looking at how to disable telnet, from what Ive read enable SSH should automatically disable it but it's not. Could you advise what commands required?

Since type 7 password as used for virtual terminal is reversible and easily crackable is it possible to use a higher encryption for this? I'm thinking about a telnet connection into a switch and whilst its not good practice to use it anymore I also dont want to disable it. Is the virtual terminal password left as type 7 since the enable secret can be encrypted to level 12 and you need both anyway?

it's running 16.12