User Mode and Privileged Mode Security

Hello Louis

Currently, the most secure method for encrypting passwords in your Cisco IOS devices is using a type 8 or type 9 encryption which use PBKDF2-SHA-256 and scrypt respectively. These are currently the most secure types, but must be supported by the IOS you are using. For more info about the various types, take a look at the following post on Cisco’s learning network:

As for how to use one of these for SSH, I was able to create a user with a secret using type 5 like so:

R2(config)#username my_name secret my_password

When viewing this in the configuration file, it looks like this:

username my_name secret 5 $1$wNNi$skihWOTQEs1u6w.AIJxMl0

I also made sure that within the vty configuration, I have the login local command and the transport input ssh command, so that SSH will be used as the protocol of choice, and the local user database will be used for SSH credentials, like so:

line vty 0 4
 login local
 transport input ssh
!

Now concerning the secret command for configuration a password, the command will, by default, encrypt the password using type 5. However, if you want to change the password type, you can do so by using the commands shown in the above link. Also note that if you try to change the encryption method using the number after the word secret, you will find it does not work:

R2(config)#username my_name secret ?
  0     Specifies an UNENCRYPTED secret will follow
  5     Specifies a MD5 HASHED secret will follow
  8     Specifies a PBKDF2 HASHED secret will follow
  9     Specifies a SCRYPT HASHED secret will follow
  LINE  The UNENCRYPTED (cleartext) user secret

R2(config)#username my_name secret 9 my_password
ERROR: The secret you entered is not a valid encrypted secret.
To enter an UNENCRYPTED secret, do not specify type 9 encryption.
When you properly enter an UNENCRYPTED secret, it will be encrypted.

This is because when you issue a number, the command expects the ENCRYPTED password, in the form of something like $9$nhEmQVczB7dqsO$X.HsgL6x1il0RxkOSSvyQYwucySCt7qFm4v7pqCxkKM depending on the algorithm chosen.

I hope this has been helpful!

Laz

1 Like