question about "enable" password

I don't have an enable password set, but I have a line con 0, line vty 0 15 and a user name and password set for ssh/telnet (with no privilege set). My understanding is that if there is no enable password (or secret) set, that going into enable mode won't ask you for a password. But it is asking me for a password (the one set on line con0/vty0 15 works). Can someone explain this to me?

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

Greenmet29

It only asks when I telnet or ssh.. not when I connect through the console.

rogue2shadow

You are probably missing the following:

Router(config)# line vty 0 15
Router(config-line)# transport input ssh
Router(config-line)# login local

Greenmet29

this is my entire config... I have the stuff that you said i might be missing... but still it asks for an enable password. It only asks when i'm on the vty lines though. Not on the console.

Building configuration...

Current configuration : 2811 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname hosthost
!
!
username user password 7 123456789012
ip subnet-zero
!
no ip domain-lookup
ip domain-name example.com
ip ssh time-out 120
ip ssh authentication-retries 3
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
interface FastEthernet0/1
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0000.0c12.3456
!
...
...
!
interface GigabitEthernet0/2
!
interface Vlan1
ip address 192.168.3.100 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.3.1
ip http server
!
line con 0
password 7 123456789012
logging synchronous
login
line vty 0 4
password 7 123456789012
logging synchronous
login local
transport input telnet ssh
line vty 5 15
password 7 123456789012
logging synchronous
login local
transport input telnet ssh
!
!
end

mikej412

In the simple case where you telnet into a router via a VTY (with just the login and password configured for the VTY), you can only enter enable mode if an enable password is set. That is the expected behavior.

mikej412

If you have local login set and a user with privilege level 15 set, you will enter enable mode -- but if you use the disable command you won't be able to access enable mode unless you log back in..... or so I kind of remember.

Greenmet29

huh.... I am able to log into enable mode via the VTY line, and I don't have an enable mode password set. This, btw, is on a 2950 switch running IOS 12.1.

I think the next step is to try it on my other switch, also a 2950 running 12.1, and then on my routers to see if they behave differently.

peanutnoggin

Greenmet29 wrote: »

huh.... I am able to log into enable mode via the VTY line, and I don't have an enable mode password set. This, btw, is on a 2950 switch running IOS 12.1.

I think the next step is to try it on my other switch, also a 2950 running 12.1, and then on my routers to see if they behave differently.

From the looks of your configs... you aren't able to login with the enable password. It's not listed in your configs. You have a local username and password. On your "line vty 0 15" you have login local. That means you are logging in with a local username and password. If you invoke the "enable" command, you should probably receive a message: "password required, but not set" or something to that effect when using a VTY line (although I've never tested it when using a local username/password)... When you console in... you should be able to go directly into enable mode when you type "enable" because you have no password. HTH.

-Peanut

Greenmet29

You're right... i have no enable password set. BUT, when i type enable at the switch> prompt from a vty line (telnet or ssh), after logging in with the username and password, it asks me for another password. It the only password that I have set that it accepts is the line con 0 password.

Greenmet29

My understanding is that if you don't have an enable password set, that it shouldn't ask you for a password when you go into enable mode. I guess i'm wrong...

Greenmet29

I just tried it on my 2501 router, but I have no password on the line or vty. I telnet-ed into my router, and when I type enable it says "% No password set", which makes me believe that even with no enable password set that it requires a password (line con 0 password) when going into enable mode from a vty line.

Same thing on the switch... I can log into a console line without an enable password and get into enable mode, but if I log into a vty line, it says no password set. Interesting....

Greenmet29

Even with a vty password set, it still wants the line password.

chmorin

I think we are over complicating this...

Greenmet29 wrote: »

I don't have an enable password set, but I have a line con 0, line vty 0 15 and a user name and password set for ssh/telnet (with no privilege set). My understanding is that if there is no enable password (or secret) set, that going into enable mode won't ask you for a password. But it is asking me for a password (the one set on line con0/vty0 15 works). Can someone explain this to me?

Okay, authentication 101:

We have an empty router. We want to be able to telnet to it. Simple enough:

Router>
Router>ena
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#int l0
Router(config-if)#ip add 192.1
*Mar  1 00:01:37.823: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up68.1.1
% Incomplete command.

Router(config-if)#ip add 192.168.1.1 255.255.255.0
Router(config-if)#exit
Router(config)#line vty 0 4
Router(config-line)#login
% Login disabled on line 162, until 'password' is set
% Login disabled on line 163, until 'password' is set
% Login disabled on line 164, until 'password' is set
% Login disabled on line 165, until 'password' is set
% Login disabled on line 166, until 'password' is set
Router(config-line)#password cisco
Router(config-line)#login
Router(config-line)#exit
Router(config)#exit
Router#tel
*Mar  1 00:02:05.799: %SYS-5-CONFIG_I: Configured from console by consolenet 192.168.1.1
Trying 192.168.1.1 ... Open


User Access Verification

Password:
Router>exit

[Connection to 192.168.1.1 closed by foreign host]
Router#telnet 192.168.1.1
Trying 192.168.1.1 ... Open


User Access Verification

Password:
Router>ena
% No password set
Router>ena
% No password set
Router>exit

[Connection to 192.168.1.1 closed by foreign host]
Router#
Router#

Hm, I can't get to enable mode. Lets set a password:

Router#
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#service pass
Router(config)#service password-encryption
Router(config)#enable secret cisco
Router(config)#exit
Router#tel
*Mar  1 00:03:09.635: %SYS-5-CONFIG_I: Configured from console by consolenet 192.168.1.1
Trying 192.168.1.1 ... Open


User Access Verification

Password:
Router>ena
Password:
Router#exit

[Connection to 192.168.1.1 closed by foreign host]
Router#
Router#

Okay, now I can get to enable mode. But I want a username and password... well lets configure local login credentials:

Router#
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#username admin secret cisco
Router(config)#line vty 0 4
Router(config-line)#login local
Router(config-line)#exi
Router(config)#exit
Router#telnet 19
*Mar  1 00:04:36.263: %SYS-5-CONFIG_I: Configured from console by console2.168.1.1
Trying 192.168.1.1 ... Open


User Access Verification

Username: admin
Password:
Router>ena
Password:
Router#exit

[Connection to 192.168.1.1 closed by foreign host]
Router#

But I don't want to have to enter an enable password, I just want to go straight there! Then we add privileges to our admin account:

Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#username admin privilege 15
Router(config)#exit
*Mar  1 00:06:00.123: %SYS-5-CONFIG_I: Configured from console by conso
Router#telnet 192.168.1.1
Trying 192.168.1.1 ... Open


User Access Verification

Username: admin
Password:
Router#
Router#
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#exit
Router#exit

[Connection to 192.168.1.1 closed by foreign host]
Router#
*Mar  1 00:06:17.351: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (192.168.1.1)

Yay, now I'm automatically in enable mode. Hopefully that answers everything you need.

stuh84

To clarify further, if you are logged in via console, you can enable without a password. When you are in via a VTY line, you can't, a password has to be set.

Greenmet29

Notice that there is no "enable password" or "enable Secret" in this...

Building configuration...

Current configuration : 1334 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
!
username user password 0 cisco
ip subnet-zero
!
ip ssh time-out 120
ip ssh authentication-retries 3
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
interface FastEthernet0/1
...
...
interface GigabitEthernet0/2
!
interface Vlan1
ip address 192.168.3.100 255.255.255.0
no ip route-cache
!
ip http server
!
line con 0
password cisco1
login local
line vty 0 4
password cisco2
login local
line vty 5 15
password cisco2
login local
!
!
end

Switch#

Telnet to 192.168.3.100...

User Access Verification

Username: user
Password: [cisco]
Switch>en
Password:[cisco]
Password:[cisco2]
Password:[cisco1]
Switch#

So in essence, the line password works as the enable password when using telnet/ssh. BUT when connecting via the console, enable mode doesn't require a password after getting into user mode.

Switch con0 is now available

Press RETURN to get started.

User Access Verification

Username: user
Password:
Switch>en
Switch#

chmorin

Greenmet29 wrote: »

Notice that there is no "enable password" or "enable Secret" in this...

Telnet to 192.168.3.100...

So in essence, the line password works as the enable password when using telnet/ssh. BUT when connecting via the console, enable mode doesn't require a password after getting into user mode.

I have not tested this in a switch, but I am not able to reproduce the configurations you provided in a router. Let me boot up my 2950 and see if I can get what you have...

chmorin

I just ran it in my lab 2950 with the following IOS:

IOS (tm) C2950 Software (C2950-I6K2L2Q4-M), Version 12.1(22)EA13, RELEASE SOFTWARE (fc2)

With the following config:

Current configuration : 1239 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
!
username admin password 0 cisco
ip subnet-zero
!
ip ssh time-out 120
ip ssh authentication-retries 3
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
 --More--
00:06:16: %SYS-5-CONFIG_I: Configured from console !        e
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface Vlan1
 ip address 192.168.1.1 255.255.255.0
 no ip route-cache
!
ip http server
!
line con 0
line vty 0 4
 password cisco
 login local
line vty 5 15
 password cisco
 login local
!
!
end

Gave the following telnet session:

User Access Verification

Username: admin
Password:
Switch>ena
% No password set
Switch>

Greenmet29

use that same thing but set a console password and try using the console password to get into enable mode