Options
OSPF authentication phrase not encrypted.
CodeBlox
Member Posts: 1,363 ■■■■□□□□□□
in CCNA & CCENT
I'm trying to get the passwords used in the OSPF authentication to be encrypted with "services password-encryption". I used the command in this three router topology and yet the phrases still show up as clear-text. Any idea why?
I'll post one of the running-configs:
On the serial interfaces the line "ip ospf message-digest-key 8 md5 ocisc" should not show "ocisc" in clear-text, or at least I don't want it to.
I'll post one of the running-configs:
Router1#show run Building configuration... Current configuration : 992 bytes ! version 12.4 no service timestamps log datetime msec no service timestamps debug datetime msec service password-encryption ! hostname Router1 ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface Loopback1 ip address 216.216.216.1 255.255.255.252 ! interface FastEthernet0/0 ip address 192.168.2.33 255.255.255.224 duplex auto speed auto ! interface FastEthernet0/1 no ip address duplex auto speed auto shutdown ! interface Serial0/0/0 ip address 202.202.202.2 255.255.255.252 ip ospf authentication message-digest ip ospf message-digest-key 8 md5 ocisc ! interface Serial0/0/1 ip address 200.200.200.2 255.255.255.252 ip ospf authentication message-digest ip ospf message-digest-key 8 md5 ocisc ! interface Vlan1 no ip address shutdown ! router ospf 5 log-adjacency-changes network 200.200.200.0 0.0.0.3 area 0 network 202.202.202.0 0.0.0.3 area 0 network 192.168.2.32 0.0.0.31 area 0 ! ip classless ! ! ! ! ! ! ! line con 0 logging synchronous line vty 0 4 login ! ! ! end
On the serial interfaces the line "ip ospf message-digest-key 8 md5 ocisc" should not show "ocisc" in clear-text, or at least I don't want it to.
Currently reading: Network Warrior, Unix Network Programming by Richard Stevens
Comments
-
Options
mattlee09
Member Posts: 205
Maybe try a different key id and/or then report back with the "debug ip ospf adj" output as you watch them authenticate?
Also, "debug ip ospf packet", whereRouter# [B]debug ip ospf packet [/B] OSPF: rcv. v:2 t:1 l:48 rid:200.0.0.116 aid:0.0.0.0 chk:0 aut:2 keyid:1 seq:0x0
aut: * is 0 - no authentication, 1 - simple password, or 2 - MD5
:shrug: -
OptionsCodeBlox
Member Posts: 1,363 ■■■■□□□□□□
debug ip ospf packet is not implemented in packet tracer. Wish I was in the lab at school. Although, it wasn't encrypted on the 2911's either when I did try it at school.Currently reading: Network Warrior, Unix Network Programming by Richard Stevens
-
Options
tomaifauchai
Member Posts: 301 ■■■□□□□□□□
show run
ip ospf message-digest-key 1 md5 7 cisco ip ospf message-digest-key 2 md5 7 blablabla ip ospf message-digest-key 3 md5 7 01110A055907070D2D4D ip ospf message-digest-key 4 md5 7 tomaifauchai ip ospf message-digest-key 10 md5 7 04580703091E49400A0B1C07060E1E
R1(config-if)#ip ospf message-digest-key 1 md5 7 cisco R1(config-if)#ip ospf message-digest-key 2 md5 7 blablabla R1(config-if)#ip ospf message-digest-key 3 md5 blablabla R1(config-if)#ip ospf message-digest-key 4 md5 7 tomaifauchai R1(config-if)#ip ospf message-digest-key 10 md5 clef_encrypter
The good way to do it is- ip ospf message-digest-key KEYn md5 KEY
Else, it won't be encrypted in the show run
I used IOS 12.4T into 3725 router in GNS3 -
OptionsCodeBlox
Member Posts: 1,363 ■■■■□□□□□□
That is the way I did it:
interface Serial0/0/1 ip address 200.200.200.2 255.255.255.252 ip ospf authentication message-digest [b][color=RED]ip ospf message-digest-key 8 md5 ocisc[/color][/b]
and it shows up as clear-text in the running-config.Currently reading: Network Warrior, Unix Network Programming by Richard Stevens -
Optionstomaifauchai
Member Posts: 301 ■■■□□□□□□□
That is the way I did it:
interface Serial0/0/1 ip address 200.200.200.2 255.255.255.252 ip ospf authentication message-digest [B][COLOR=RED]ip ospf message-digest-key 8 md5 ocisc[/COLOR][/B]
and it shows up as clear-text in the running-config.
Platform? IOS ?
BTW, packet tracer doesnt support service encryption for OSPF, i just tested it
-
OptionsCodeBlox
Member Posts: 1,363 ■■■■□□□□□□
EDIT: Okay thanks
Think I'll finish getting a basic lab because of this!!! At the moment I just have 2 switches(2950s).
EDIT(2): In fact, it does have IOS Version 12.4(15)
Packet tracer is what I was using.Currently reading: Network Warrior, Unix Network Programming by Richard Stevens -
Options
alan2308
Member Posts: 1,854 ■■■■■■■■□□
Actually, Packet Tracer is just a simulator, it doesn't have any version of IOS. But for the sake of completeness, they have to say something when you type show version. -
OptionsCodeBlox
Member Posts: 1,363 ■■■■□□□□□□
I thought it was more important to just answer his question. My edit said "in fact, it does have IOS Version 12.4(15)"... EDIT because what I said previously was incorrect. I know it's just a simulator.Currently reading: Network Warrior, Unix Network Programming by Richard Stevens
-
Options
ehnde
Member Posts: 1,103
service password-encryption encrypts your passwords in the configuration file to prevent shoulder surfing.
I may be misunderstanding your problem...but are you concerned with OSPF sending passwords in plain text? This may clear up your questions: Sample Configuration for Authentication in OSPF [IP Routing] - Cisco Systems
HTHClimb a mountain, tell no one. -
OptionsCodeBlox
Member Posts: 1,363 ■■■■□□□□□□
Err, no. The question was related to the "shoulder surfing" and how the password shows up in the running config in plain-text.service password-encryption encrypts your passwords in the configuration file to prevent shoulder surfing.
I may be misunderstanding your problem...but are you concerned with OSPF sending passwords in plain text? This may clear up your questions: Sample Configuration for Authentication in OSPF [IP Routing] - Cisco Systems
HTHCurrently reading: Network Warrior, Unix Network Programming by Richard Stevens -
Optionsehnde
Member Posts: 1,103
Ahh...I didn't read far enough down. I now see the problem was a limitation in packet tracer. Doh!Climb a mountain, tell no one.
