enable secret

x5150x5150 Member Posts: 42 ■■□□□□□□□□
Are these commands the same? Meaning you can set the secret password from any priveleged prompt?

Switch(config-line)#enable secret its-a-secret
Switch(config)#enable secret its-a-secret

They are at different levels, one for global and one for the line config.

They seem to have the same outcome of requiring a user to enter a password to get to privileged mode regardless if directly connected or through telnet.

Comments

  • super22super22 Member Posts: 48 ■■□□□□□□□□
    Switch(config-line)#enable secret its-a-secret

    - this should ONLY configure the password for telnet/console

    Switch(config)#enable secret its-a-secret

    - this should ONLY configure the enable password

    maybe you can give us the whole config so we can take a better look:D
  • thehourmanthehourman Member Posts: 723
    I am on the same boat; actually, I am at page 244(Odom's book).
    So, we can use the enable secret on telnet/ssh as well.

    Is that the password we are going to use if we are going to use telnet/ssh or is that the password after we login to telnet/ssh to access the enable mode?
    What exactly the difference between the password in login local and the enable secret in line vty?

    The reason I asked is that when you setup the telnet/ssh the commands are:
    login local
    transport input telnet ssh
    username
    name password password
    ip domain-name something.com
    crypto key generate rsa

    This is my understanding between the two(my 2nd question) the password in login local is for logging in to telnet/ssh, and the enable secret in line vty is for accessing the enable mode after logging to telnet/ssh.
    Please correct me if I am wrong. I need a clarify this as well.

    EDIT:
    About the ip domain-name, do I have to have a domain name to make it to work?
    I just want to use ssh on my lab while I am at my friends house. Also, how do I copy the show crypto key mypublic key rsa to my netbook which is the client? I use tera term.
    Studying:
    Working on CCNA: Security. Start date: 12.28.10
    Microsoft 70-640 - on hold (This is not taking me anywhere. I started this in October, and it is December now, I am still on page 221. WTH!)
    Reading:
    Network Warrior - Currently at Part II
    Reading IPv6 Essentials 2nd Edition - on hold
  • CiskHoCiskHo Member Posts: 188
    thehourman wrote: »
    About the ip domain-name, do I have to have a domain name to make it to work?
    No. You could use cnn.com or ANYTHING you wanted. It doesn't need to be a registered domain name in order for SSH to work :)
    My Lab Gear:
    2811(+SW/POE/ABGwifi/DOCSIS) - 3560G-24-EI - 3550-12G - 3550POE - (2) 2950G-24 - 7206VXR - 2651XM - (2) 2611XM - 1760 - (2) CP-7940G - ESXi Server

    Just Finished: RHCT (1/8/11) and CCNA:S (Fall 2010)
    Prepping For: VCP and CCNP SWITCH, ROUTE, TSHOOT
  • thehourmanthehourman Member Posts: 723
    CiskHo wrote: »
    No. You could use cnn.com or ANYTHING you wanted. It doesn't need to be a registered domain name in order for SSH to work :)
    I just want to make sure that I understand what you said.
    I can make up a random name and lets say thehourman.com, and use it for ip domain-name. The question is can I access my switch using ssh from outside my own network?

    Also, how am I going to copy the show crypto mypublic key rsa to my netbook for accessing the switch?
    Studying:
    Working on CCNA: Security. Start date: 12.28.10
    Microsoft 70-640 - on hold (This is not taking me anywhere. I started this in October, and it is December now, I am still on page 221. WTH!)
    Reading:
    Network Warrior - Currently at Part II
    Reading IPv6 Essentials 2nd Edition - on hold
  • CiskHoCiskHo Member Posts: 188
    thehourman wrote: »
    I just want to make sure that I understand what you said.
    I can make up a random name and lets say thehourman.com, and use it for ip domain-name. The question is can I access my switch using ssh from outside my own network?
    Correct, as long as you are connected to your home's WAN IP address and not to the unregistered "hourman.com".


    thehourman wrote: »
    Also, how am I going to copy the show crypto mypublic key rsa to my netbook for accessing the switch?
    That I can't help with. I set up my switches & routers for SSH but didn't need to copy anything from the CLI. I connected using Putty program. I believe I was asked by Putty if I wished to trust the switch/router's key upon connecting. IIRC, I clicked yes and was then put through to the CLI.

    But for whatever reason I was unable to connect from the WAN side (only LAN worked for me). I even did port forwarding on my gateway router for port 22 (SSH) to be sent to my devices LAN IP but that didn't work. Could be my work was blocking outgoing port 22. I dunno... FWIW, I was using a registered domain name and then tried IP. Neither worked. But I am able to connect from my LAN with no problem.
    My Lab Gear:
    2811(+SW/POE/ABGwifi/DOCSIS) - 3560G-24-EI - 3550-12G - 3550POE - (2) 2950G-24 - 7206VXR - 2651XM - (2) 2611XM - 1760 - (2) CP-7940G - ESXi Server

    Just Finished: RHCT (1/8/11) and CCNA:S (Fall 2010)
    Prepping For: VCP and CCNP SWITCH, ROUTE, TSHOOT
  • ConstantlyLearningConstantlyLearning Member Posts: 445
    CiskHo wrote: »
    But for whatever reason I was unable to connect from the WAN side (only LAN worked for me). I even did port forwarding on my gateway router for port 22 (SSH) to be sent to my devices LAN IP but that didn't work. Could be my work was blocking outgoing port 22. I dunno... FWIW, I was using a registered domain name and then tried IP. Neither worked. But I am able to connect from my LAN with no problem.

    The cisco device you were trying to connect to was probably missing a default gateway. Traffic coming from the WAN side was probably making it to the cisco device but the return traffic didn't know where to go because it didn't have a matching route.
    "There are 3 types of people in this world, those who can count and those who can't"
  • CiskHoCiskHo Member Posts: 188
    The cisco device you were trying to connect to was probably missing a default gateway. Traffic coming from the WAN side was probably making it to the cisco device but the return traffic didn't know where to go because it didn't have a matching route.
    Thx, will double check that. I know the device (2811 router) has ip default-gateway of my GW router (Linksys). The Linksys passes info to the 2811 just fine. I can ping the Linksys from devices/switches that I have behind the 2811 so I would think the gateway info was there.
    WAN--Linksys--2811--3550--2950 (2950 pings Linksys just fine). Pretty sure telnet was working too, just not SSH. Will recheck and post findings asap.
    My Lab Gear:
    2811(+SW/POE/ABGwifi/DOCSIS) - 3560G-24-EI - 3550-12G - 3550POE - (2) 2950G-24 - 7206VXR - 2651XM - (2) 2611XM - 1760 - (2) CP-7940G - ESXi Server

    Just Finished: RHCT (1/8/11) and CCNA:S (Fall 2010)
    Prepping For: VCP and CCNP SWITCH, ROUTE, TSHOOT
  • ConstantlyLearningConstantlyLearning Member Posts: 445
    CiskHo wrote: »
    Thx, will double check that. I know the device (2811 router) has ip default-gateway of my GW router (Linksys). The Linksys passes info to the 2811 just fine. I can ping the Linksys from devices/switches that I have behind the 2811 so I would think the gateway info was there.
    WAN--Linksys--2811--3550--2950 (2950 pings Linksys just fine). Pretty sure telnet was working too, just not SSH. Will recheck and post findings asap.

    Can you ping public ip's from the 2811?

    To set a default gateway on the 2811 use a default static route. Don't use the ip default-gateway.

    ip route 0.0.0.0 0.0.0.0 [Linksys LAN interface IP]

    "The ip default-gateway command differs from the other two commands. It should only be used when ip routing is disabled on the Cisco router."

    Configuring a Gateway of Last Resort Using IP Commands - Cisco Systems
    "There are 3 types of people in this world, those who can count and those who can't"
  • CiskHoCiskHo Member Posts: 188
    Can you ping public ip's from the 2811?

    To set a default gateway on the 2811 use a default static route. Don't use the ip default-gateway.

    ip route 0.0.0.0 0.0.0.0 [Linksys LAN interface IP]

    "The ip default-gateway command differs from the other two commands. It should only be used when ip routing is disabled on the Cisco router."

    Configuring a Gateway of Last Resort Using IP Commands - Cisco Systems

    Many thanks for that info! I had ip default-gateway set to my Linksys. Removed that and entered static route. Can ping my WAN IP from 2811. Have enabled port forwarding for port 22 (SSH) on the Linksys to my 2811's IP and still can't connect via Putty from my work. Hoping to look more into this during the w/e. Any thoughts on what I should be looking out for?

    And sorry for the thread highjacking icon_sad.gif
    My Lab Gear:
    2811(+SW/POE/ABGwifi/DOCSIS) - 3560G-24-EI - 3550-12G - 3550POE - (2) 2950G-24 - 7206VXR - 2651XM - (2) 2611XM - 1760 - (2) CP-7940G - ESXi Server

    Just Finished: RHCT (1/8/11) and CCNA:S (Fall 2010)
    Prepping For: VCP and CCNP SWITCH, ROUTE, TSHOOT
  • notgoing2failnotgoing2fail Member Posts: 1,138
    CiskHo wrote: »
    Many thanks for that info! I had ip default-gateway set to my Linksys. Removed that and entered static route. Can ping my WAN IP from 2811. Have enabled port forwarding for port 22 (SSH) on the Linksys to my 2811's IP and still can't connect via Putty from my work. Hoping to look more into this during the w/e. Any thoughts on what I should be looking out for?

    And sorry for the thread highjacking icon_sad.gif

    I would also allow pings to get to your 2811 from work. If the pings work, then you can troubleshoot the SSH.

    If the pings don't work (with port forwarding) then now you know it's probably a routing issue.

    Or like you said, your work could be blocking SSH. That's always a possibility....
  • CiskHoCiskHo Member Posts: 188
    I am able to SSH into the 2811 by hitting my WAN IP from my LAN wifi. However, I am still unable to SSH from work and hit the 2811. Cisco coworkers say SSH is not blocked from our work site. Also confirmed no ACLs are in place. Hmmm... will have to dig deeper.
    My Lab Gear:
    2811(+SW/POE/ABGwifi/DOCSIS) - 3560G-24-EI - 3550-12G - 3550POE - (2) 2950G-24 - 7206VXR - 2651XM - (2) 2611XM - 1760 - (2) CP-7940G - ESXi Server

    Just Finished: RHCT (1/8/11) and CCNA:S (Fall 2010)
    Prepping For: VCP and CCNP SWITCH, ROUTE, TSHOOT
  • notgoing2failnotgoing2fail Member Posts: 1,138
    CiskHo wrote: »
    I am able to SSH into the 2811 by hitting my WAN IP from my LAN wifi. However, I am still unable to SSH from work and hit the 2811. Cisco coworkers say SSH is not blocked from our work site. Also confirmed no ACLs are in place. Hmmm... will have to dig deeper.


    Do you know any other SSH sites you can try? If you can SSH to other sites, then it's definitley an issue with your home. If you can't, then your coworkers are lying dogs.... LOL...
  • hexemhexem Member Posts: 177
    Have you opened up the port on the linksys firewall ?

    i'd expect everything is being denied by default so you need to go add a specific rule for ssh.
    ICND1 - Passed 25/01/10
    ICND2 - Passed 9/03/10

    Studying CCNA:S
  • CiskHoCiskHo Member Posts: 188
    hexem wrote: »
    Have you opened up the port on the linksys firewall ?

    i'd expect everything is being denied by default so you need to go add a specific rule for ssh.
    Port 22 is being forwarded to the 2811's ip. I am able to SSH into it by hitting the WAN IP from my LAN connection (wifi) but not from outside my LAN (while @ work). I am installing OpenSSH on a LAN PC now to test the connection to that. Trying to verify that this is a config issue on the 2811... not sure what else it could be at this point. Will post my findings asap.
    My Lab Gear:
    2811(+SW/POE/ABGwifi/DOCSIS) - 3560G-24-EI - 3550-12G - 3550POE - (2) 2950G-24 - 7206VXR - 2651XM - (2) 2611XM - 1760 - (2) CP-7940G - ESXi Server

    Just Finished: RHCT (1/8/11) and CCNA:S (Fall 2010)
    Prepping For: VCP and CCNP SWITCH, ROUTE, TSHOOT
  • x5150x5150 Member Posts: 42 ■■□□□□□□□□
    super22 wrote: »
    Switch(config-line)#enable secret its-a-secret

    - this should ONLY configure the password for telnet/console

    Switch(config)#enable secret its-a-secret

    - this should ONLY configure the enable password

    maybe you can give us the whole config so we can take a better look:D


    Here's the order of the commands,


    enable
    configure terminal
    line vty 0 15
    password ciscopress
    login
    enable secret its-a-password # there's a note that this is a global config command

    # at this point the command prompt has changed from
    Switch(config-line)#
    to
    Switch(config)#


    then go to Router
    telnet Switches_IP
    # prompted for password
    ciscopress

    prompt is now my Switch>

    enable
    its-a-secret

    # now privileged mode
Sign In or Register to comment.