Secure local username/password on switch?

Futura

Is there a way to make a secure local username and password on a switch or router.

the enable secret is secure I know but is there a way to make a local user as secure as the enable secret command.

I mean one that cannot be decrypted like enable password can.

I want to use login local for the console and vty lines but want the enable secret and the local user password to be the same. But problem is that if the local password is decrypted then the enable secret will be known also.

Thank you:)

mikeybikes

Use the command:
service password-encryption

mapletune

i think i know what you mean. That Cisco's proprietary service password-encryption is weak, and if you copy paste the encrypted password on a "crack cisco password" website, you can still get the original password.

To this end, I don't think Cisco has anything implemented to secure local database. (running config)

What you can do, instead, is use aaa new-model and configure a RADIUS or TACACS+ server elsewhere to serve the user and password database. This way, it'll add a layer of security for your user/pass db, as opposed to keeping it on the router/device's running-configuration

YFZblu

mikeybikes wrote: »

Use the command:
service password-encryption

This is really only useful so people looking over the Administrator's shoulder cannot see the password. It can easily be reversed.

MosGuy

Some IOS versions have enhanced password security. Which allows you to use "username secret". I'm not currently on my windows system to double check in GNS3. But you can see Jeremy use it in his CCNA Labs video series when setting up a VPN tunnel

jdballinger

If you create a local user on the device using the "username BOB privilege 15 secret PASSWORD" the the actual password will be hashed in the running config. The password is unable to be decrypted because it is a salted MD5 hash, not the usual 7-type passwords like the 'enable secret' password would be. the only way to figure it out if someone got a hold of the hash would be through a brute-force attack, or a really really lucky rainbow table hit, though the salting makes this nearly mathematically impossible.

mapletune

oh ok, good information guys =D

So Cisco does support industry standard md5 secret.

hmm.. now we only need to hide the username... @_@

networker050184

If someone gets to the point where they are looking at your configuration to see the username you already have plenty of security issues.

Futura

jdballinger wrote: »

If you create a local user on the device using the "username BOB privilege 15 secret PASSWORD" the the actual password will be hashed in the running config. The password is unable to be decrypted because it is a salted MD5 hash, not the usual 7-type passwords like the 'enable secret' password would be. the only way to figure it out if someone got a hold of the hash would be through a brute-force attack, or a really really lucky rainbow table hit, though the salting makes this nearly mathematically impossible.

Thank you for this post, really useful. I didn't realise that using the Privilege level command would make it a secret rather than a password. Will try the suggestions tomorrow.

YFZblu

networker050184 wrote: »

If someone gets to the point where they are looking at your configuration to see the username you already have plenty of security issues.

Indeed!

Futura

YFZblu wrote: »

Indeed!

whats that got to do with it,

please understand I am asking a question about whether type 5 passwords/secrets can be used on the local database. I'm not asking for a discussion whether I printed a config off and pinned it up on the notice board for checking or left on a desk.

networker050184

You have to understand that when you ask a question on the internet you are getting free advice. Take the good with the bad/unhelpful/off topic. People are just trying to help you and provide insight.

MosGuy

Futura wrote: »

Thank you for this post, really useful. I didn't realise that using the Privilege level command would make it a secret rather than a password. Will try the suggestions tomorrow.

As far as I'm aware the privilege level isn't related to hashing; but sets the permissions/initial user mode. It's the use of password vs secret that determines if type 5 or 7 is used. By using secret, it sets an MD5 hash. As the following article describes: Cisco IOS Password Encryption Facts - Cisco Systems . I noticed the latest version of packet tracer now supports username/secret.

I suspect it was a typo & jdballinger meant to write "..not the usual 7-type passwords like the 'enable password' password would be"

jdballinger

You are correct, that is what I meant. Sometimes what I type is not what is actually in my head at the moment it seems...

Also, you are correct about 'Privilege' not having anything to do with password hashing at all. It's merely used to determine the level of access that a particular user account has on the device. I use it at work all the time to grant the junior network admins read access to switches, allowing them to perform basic troubleshooting without any worry that they will inadvertently change something and bring down a building's connectivity.

RouteMyPacket

jdballinger wrote: »

If you create a local user on the device using the "username BOB privilege 15 secret PASSWORD" the the actual password will be hashed in the running config. The password is unable to be decrypted because it is a salted MD5 hash, not the usual 7-type passwords like the 'enable secret' password would be. the only way to figure it out if someone got a hold of the hash would be through a brute-force attack, or a really really lucky rainbow table hit, though the salting makes this nearly mathematically impossible.

This is what I do on all of my gear.