Solved: Setting up SSH user with encrypted password - Page 2

athomas1 · ‎04-12-2022

Hello,

I've already got SSH access configured on my 9200L and it gave me a prompt for an admin user straight after when trying to login, however I didn't know the password. I've since created a user (config)#username XXX password XXX however this appears in unencrypted format. I've tried different command options to encrypt password but these either give an ambiguous error or encrypt everything after the password prompt.

I've read another thread on here saying to use secret instead of password command but the SSH prompt doesnt allow me to login with the secret and only gives me a password prompt.

I am fairly new to this level of programming so I'm probably missing something very obvious or silly, so some help on the matter would be greatly appreciated. I could leave the password in cleartext on the config, but I want to do it properly.

Richard Burts · ‎04-12-2022

There are several parts of this that deserve some comments:

- when you enable service password encryption it does not change any existing passwords. But will encrypt (certain) passwords as they are configured.

- there are several references to vty passwords, bear in mind that there are multiple options for passwords used for vty and how they are encrypted.

= the most simple is the vty line password. This is configured on the vty lines and is used to authenticate remote access sessions. It stops being used if you configure login local on the vty or if you configure aaa new-model.

= if you configure login local or configure aaa authentication with an option to use local passwords then the device will authenticate attempts for remote access using locally configured user names and passwords. Note that different users might have different types of encryption for their passwords.

= you can configure aaa authentication to use an authentication server to authenticate attempts for remote access. The type of encryption for these users will depend on the authentication server.

- when you activate SSH it does not automatically disable telnet access. If you want to use only SSH (no telnet) then on the vty lines configure transport input ssh and this will use SSH and not allow telnet.

- there are 2 levels of passwords that might be used for remote access. Typically there is a user level password which would grant access to user mode and an enable level password to grant access to privileged mode. Note that there are configuration options in which a user might authenticate once (with the user level password) and then be put directly into privileged mode (without requiring a separate password)

HTH

Rick

athomas1 · ‎04-13-2022

Thanks Richard that is very useful. I have some questions back if you don't mind.

Is it considered good practice when SSH access is configured to have telnet disabled, or leave it enabled as an alternative access route even though the traffic would be unencrypted between user and switch? I currently have SSH local user access (i think this is an accurate description) configured and transport ssh configured separately, Both telnet and SSH access work. I've configured username and secret instead of password to allow me to use highest level of encryption available in 16.12 IOS instead of the password type7 which is basically useless given the ease of reverse decryption online. Or is this required by the IOS to be able to decrypt the password?

What is the best practice for accessing the switch via SSH and how would you suggest configuring this? There is a smallish team here and we don't have need for multiple local users, but SSH is a must.

Richard Burts · ‎04-13-2022

In my experience it varies from organization to organization whether to disable telnet and enable only SSH. Some like having an alternative that would work if some problem developed with SSH. Others are concerned about the lack of encryption in telnet and have heightened security requirements and disable telnet access. Where is your organization on this continuum?

I am wondering about this statement "transport ssh configured separately, Both telnet and SSH access work." Am I correct in understanding that you have configured transport input ssh (for some of the vty) and that telnet still works? For historical reasons Cisco divides vty lines into 2 groups (0 through 4 and others). If you configure transport input ssh on vty 0 4 but not on the other vty lines then telnet would still work. If you want telnet disabled then you need to do that on all the vty lines.

You say " I've configured username and secret instead of password to allow me to use highest level of encryption available in 16.12 IOS" But in a previous response you say that you have created a user with type 9 encrypted password. So user name secret is not the highest level of encryption available.

You ask "What is the best practice for accessing the switch via SSH" To answer this we would need a better understanding of the level of concern in your organization about security on the network. Multiple user accounts configured on the device is ok if security concerns are not so high. If security concerns are high then you should enable aaa for authentication (and perhaps authorization) and use an authentication server (Tacacs or Radius), have a single local user name and password (to be used if there are problems.

HTH

Rick

athomas1 · ‎04-13-2022

So currently we use telnet which I know is not good practice because of the lack of transport encryption. I am using SSH going forward but wasn't if there was set good practice as to whether telnet is left as an alternative if disabled for security. If it more so dependent on the organizations requirements I will make a decision internally on this.

I had noticed there were two groups for vty lines, which i was a bit confused about, but yes you are correct with your understanding- transport ssh is set on one group but not the other. Would I just set transport ssh on both groups or is there a way to disable/ remove the one group? I can get to all my switch stacks easily enough to use serial as a backup connection so i have no particular need to leave to telnet enabled even as a backup line.

What are the highest levels of encryption readily available for secret or password? I was under the impression from https://learningnetwork.cisco.com/s/article/cisco-routers-password-types that type 9 was the highest level.

Where different users and passwords are concerned and choice of use, security is a big concern for us as would be for any organization, but we're not Bank of England either... So a healthy level of security where we might have a single user for ssh access and also the privileged access. How would you suggest implementing this?

Richard Burts · ‎04-15-2022

From a security perspective certainly SSH is better than telnet. Whether telnet is tolerated and used as a secondary choice for access or is treated as a potential threat and disabled depends on the security environment of the organization. I do not know about your organization but I am guessing that you may want to disable telnet and use only SSH.

In the early days of IOS the vty ports were 0 to 4. Then Cisco added support for additional vty. I assume that it was to provide compatibility with older versions but 0 4 has always been separate from 5 15 (or whatever number of vty that you might have). I do not believe that there is any way to eliminate either group. If you wanted to disable one group (or disable some ports in a group) you could configure those vty with transport input none.

If you or your organization are concerned about security of passwords etc then my suggestion would be to transition away from locally configured user and password and implement an authentication server (Tacacs or Radius). Leave one user and password in the configuration to be used for access if there are problems with the authentication server.

HTH

Rick