User Mode and Privileged Mode Security

This topic is to discuss the following lesson:

HI Rene,
In most of the switches 2960X I dont have the option of login lor login local.

It only appears the option login authentication default that requires a list for login

Hello Helen,

It seems they changed this a bit on IOS 15.x. You can find an example here:

Once aaa new-model is enabled, you can use the login command:

Switch(config)# aaa new-model
Switch(config)# line vty 0 15
Switch(config-line)# login local
Switch(config-line)# exit

Try this on a test switch first, usually when you mess around with AAA it’s easy to lock yourself out :sweat_smile:

Rene

Hey everyone,

I’ve been looking into passwords/secrets on Cisco devices, and am a bit confused regarding how to configure the best practice (most secure) password type.

I’ve successfully configured type 7 passwords on devices, enabled password encryption (so they don’t show as plain text in the config) then have been able to SSH to the device using those credentials.

However I’ve read that type 7 passwords are not secure, and using an online crack tool was easily able to crack my encrypted type 7 passwords. When I search online regarding this everyone says to use type 5 secrets instead.

I have no trouble configuring a type 5 secret using the “enable secret” command to use for priv exec mode, which gives me this in the run config:

enable secret 5 $1$mERr$OKzfSUgIm9q.QG2WpAsx1/

However when I try to configure a type 5 secret with a username (so it can be used for SSH) it shows up as plain text in the run config:

ip domain-name test.com
!
username josie secret 5 major

I also cannot SSH to the Cisco device using this username and password, it tells me the password is invalid.

So my question boils down to: What is the best practice for configuring usernames/passwords on Cisco devices which can be used for SSH etc, and how do I configure them?

Thanks for your help!

Hello Louis

Currently, the most secure method for encrypting passwords in your Cisco IOS devices is using a type 8 or type 9 encryption which use PBKDF2-SHA-256 and scrypt respectively. These are currently the most secure types, but must be supported by the IOS you are using. For more info about the various types, take a look at the following post on Cisco’s learning network:

As for how to use one of these for SSH, I was able to create a user with a secret using type 5 like so:

R2(config)#username my_name secret my_password

When viewing this in the configuration file, it looks like this:

username my_name secret 5 $1$wNNi$skihWOTQEs1u6w.AIJxMl0

I also made sure that within the vty configuration, I have the login local command and the transport input ssh command, so that SSH will be used as the protocol of choice, and the local user database will be used for SSH credentials, like so:

line vty 0 4
 login local
 transport input ssh
!

Now concerning the secret command for configuration a password, the command will, by default, encrypt the password using type 5. However, if you want to change the password type, you can do so by using the commands shown in the above link. Also note that if you try to change the encryption method using the number after the word secret, you will find it does not work:

R2(config)#username my_name secret ?
  0     Specifies an UNENCRYPTED secret will follow
  5     Specifies a MD5 HASHED secret will follow
  8     Specifies a PBKDF2 HASHED secret will follow
  9     Specifies a SCRYPT HASHED secret will follow
  LINE  The UNENCRYPTED (cleartext) user secret

R2(config)#username my_name secret 9 my_password
ERROR: The secret you entered is not a valid encrypted secret.
To enter an UNENCRYPTED secret, do not specify type 9 encryption.
When you properly enter an UNENCRYPTED secret, it will be encrypted.

This is because when you issue a number, the command expects the ENCRYPTED password, in the form of something like $9$nhEmQVczB7dqsO$X.HsgL6x1il0RxkOSSvyQYwucySCt7qFm4v7pqCxkKM depending on the algorithm chosen.

I hope this has been helpful!

Laz

1 Like

Hey Laz,

Thanks for the response!

I tried again configuring the secret 5 with a username using your instructions, and I can SSH successfully from another device now – not sure what went wrong last time.

I tried the stronger encryption method mentioned by Rene in the article, however the commands don’t exist on the router I’m using, so I assume it requires a newer IOS version.

According to the Cisco document you linked, the secret 5 can be cracked but would take a long time – therefore I assume it’s “good enough” to use in a production environment. Would that be correct?

Also with the secret 5, I noticed we cannot set permissions levels (1-15) like we can with the old passwords. With the secret 5 are these permissions levels obsolete? Do we need to just use the “enable secret” as well to provide full permissions?

Cheers.

Hello Louis

Good to hear that it’s working!

Yes, both types 8 and 9 (SHA-256 and scrypt respectively) are supported starting from IOS 15.3(3).

When you choose the type of encryption you should take into account what other security measures are in place. Do you have an access list that limits connectivity on the management interfaces? Any Control Plane Policing? Management Plane Protection? Is the device accessible only from the local network or from the Internet? If there are other measures in place, then type 5 would most likely be “good enough” as you say. If your device is accessible via the Internet, or is in an environment where you don’t have absolute control over who is able to connect, then using a better encryption method may be beneficial.

The privilege level can be set using commands similar to the following:

R1(config)#username laz privilege 15 secret my_password

I was able to enter this command on a Cisco router and set the privilege level to 15. I then tried to connect to R1 using telnet, and I was able to log in with these credentials. When I did, I was put immediately into privileged executive mode, which is this prompt: R1#

If I didn’t set the privilege to 15, then it would give me user executive mode which is this prompt: R1>. In order to get to privileged executive mode, I would then need to issue the enable command and the corresponding password.

I hope this has been helpful!

Laz