enable secret 0 cisco

When would I want to use "enable secret 0 cisco"

vs

"enable secret cisco" command?

Odom text P. 244-245

I've tried it both ways and found that the "show run" results seem to be the same. Plus per Odom's text both passwords are stored in the config file as MD5 values.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

chmorin

HardDisk wrote: »

When would I want to use "enable secret 0 cisco"

vs

"enable secret cisco" command?

Odom text P. 244-245

I've tried it both ways and found that the "show run" results seem to be the same. Plus per Odom's text both passwords are stored in the config file as MD5 values.

Router(config)#enable secret ?
  0      Specifies an UNENCRYPTED password will follow
  5      Specifies an ENCRYPTED secret will follow
  LINE   The UNENCRYPTED (cleartext) 'enable' secret
  level  Set exec level password

The short answer:

Yes, whatever you input it is encrypted in the config. Not sure why.
There is no reason I can think of why anyone would prefer a clear text password.

fly351

I am really not sure why both are an option (LINE and 0). Maybe using 0 was the only supported option on an older IOS?

HardDisk

I think the answer to my "enable secret 0 password" question is beyond the scope of the CCNA exam.
However if anyone else is still interested I have posted below some additional information that will help to point the way towards the final answer.

Using Local Credential to do AAA (Authentication, Authorization and Accounting)

·[FONT=&quot] challenge authentication: in this authentication method, the password is never transmitted between the server and the client, but it needs that both client and server know the clear text password. Client and server will agree on a random function to apply to the clear text password (the challenge), apply the function, then apply a non-reversible (MD5 for example) cryptographic function to the result.This is the resulting string that will be transmitted on the network. It is safe from spying becuase of the cryptographic function, it is safe from replay attacks because of the random function.
But: the server needs to know the clear text password.

[/FONT]

DevilWAH

the 0 is the default,

so "enable secret cisco" is identica to "enable secret 0 cisco"

its simply going to be to do with the code behind it,

for it to know the difference between encrypted and unencrypted entries there has to be a field for this value.

CISCO have chosen that a value of 5 in this field designates an encrypted password.

so leaving it empty (ie 0 ) designates a plaintext password will follow.

is a bit like
"crypto key generate <cr>"
and
"crypto key generate rsa <cr>"

both do identical things.

CISCO generaly seem to leave in the full syntax of a default command, when they create a default entry.

this is why you can see both 0 and 5

alan2308

So I've been playing around with this a bit, "enable secret cisco" and "enable secret 0 cisco" both operate the same, the way that I expected. But when I type "enable secret 5 cisco" I get:

ERROR: The secret you entered is not a valid encrypted secret.
To enter an UNENCRYPTED secret, do not specify type 5 encryption.
When you properly enter an UNENCRYPTED secret, it will be encrypted.

And when I type "enable secret 5 $1$22z1$DSmD9tY8tcuyi/tjo.GQC/ (which is the hash of cisco) it works.

So "enable secret 5" is expecting you to enter the hash? When would it make sense to enter a hash?

fly351

alan2308 wrote: »

And when I type "enable secret 5 $1$22z1$DSmD9tY8tcuyi/tjo.GQC/ (which is the hash of cisco) it works.

So "enable secret 5" is expecting you to enter the hash? When would it make sense to enter a hash?

Yep, if you already have the md5 hash, then you can copy/paste it in there using the "5" parameter. I can't think of a reason why you would want to use the hash instead of just entering it in plain-text and letting the md5 algorithm hash it out. Unless.. you are 100% positive you know your passwords, and you don't want to save your passwords in plain text in the config files.

DevilWAH

how about pasting a saved config in to a switch. you dont want to save you password in plain text in you backed up configs. or you want to set the same pass word on mutiply switches over the net work. you can set a batch job to up date all your devices, secure in the knowlge that even if some one sees what you are doing, captures the traffic or steals your backed up configs the can,t access you switches. i always set up new devices by pasting a default config, and although the default config is store in a secure file. its still nice to know that even if some one did get them they still dont have our password.

DevilWAH

oh our local secret password is a last resort authentacation method. so the plain text is very long and complex (i cant rember it i have to open a safe to get to it) but like i say setting it up is easy when you can leave the hashed version in plain view. in big networks the ability to enter the hashed version is a god send from a security point of view.

alan2308

DevilWAH wrote: »

how about pasting a saved config in to a switch.

Wow, I feel a bit dumb now for asking when the answer is so obvious, and something I've done a hundred times.

m_rayansaz

Hi guys,
Regarding this question, let me discuss it from a programming view.
IOS has a command interpreter and whatever command is receiving despite of coming from console or a configuration file, it has to interpret and decide what to do.
By the way although cisco wants to make entering command in an easy way (by entering in clear text), in another side for security purpose of this command, it registers the commands in running configuration file as hashed equivalent of the password.
Now if next time cisco interpreter reach to the same command in running configuration due to existing an additional parameter, interpreter will understand whether the expression is password or its hashed one.
To do test you think that you edit startup config file and there instead of "secret 5 hashed pass" you modify and put "secret 0 original pass"
and see how it will be ok having plain secret password in config file!

Try and let me know

theodoxa

I believe if you use "enable secret 5" that you need to supply an MD5 Hash of the desired password. If you use "enable secret" or "enable secret 0" you would supply the plain text password and IOS would hash it [and store the hashed value in the configuration] for you.

theodoxa

alan2308 wrote: »

So I've been playing around with this a bit, "enable secret cisco" and "enable secret 0 cisco" both operate the same, the way that I expected. But when I type "enable secret 5 cisco" I get:

ERROR: The secret you entered is not a valid encrypted secret.
To enter an UNENCRYPTED secret, do not specify type 5 encryption.
When you properly enter an UNENCRYPTED secret, it will be encrypted.

And when I type "enable secret 5 $1$22z1$DSmD9tY8tcuyi/tjo.GQC/ (which is the hash of cisco) it works.

So "enable secret 5" is expecting you to enter the hash? When would it make sense to enter a hash?

If you wanted to type some commands into a text file so that you could run those same commands on a number of router, but you did not want to have passwords stored in plain text on a computer somewhere. For example:

user admin secret 5 $1$22z1$DSmD9tY8tcuyi/tjo.GQC/
enable secret 5 $1$22z1$DSmD9tY8tcuyi/tjo.GQC/
line console 0
logging synchronous
exec-timeout 0 0
line aux 0
logging synchronous
exec-timeout 15 0
login local
line vty 0 15
logging synchronous
exec-timeout 10 0
login local
transport input ssh
exit
crypto key generate rsa modulus 1024
ip ssh version 2

Could be pasted into multiple routers to configure them to have the same user account, enable password, and enable ONLY SSH on the VTY Lines, as well as set the exec-timeout and prevent log messages from breaking apart what you are typing.