Hello Louis
Currently, the most secure method for encrypting passwords in your Cisco IOS devices is using a type 8 or type 9 encryption which use PBKDF2-SHA-256 and scrypt respectively. These are currently the most secure types, but must be supported by the IOS you are using. For more info about the various types, take a look at the following post on Cisco’s learning network:
As for how to use one of these for SSH, I was able to create a user with a secret using type 5 like so:
R2(config)#username my_name secret my_password
When viewing this in the configuration file, it looks like this:
username my_name secret 5 $1$wNNi$skihWOTQEs1u6w.AIJxMl0
I also made sure that within the vty
configuration, I have the login local
command and the transport input ssh command, so that SSH will be used as the protocol of choice, and the local user database will be used for SSH credentials, like so:
line vty 0 4
login local
transport input ssh
!
Now concerning the secret
command for configuration a password, the command will, by default, encrypt the password using type 5. However, if you want to change the password type, you can do so by using the commands shown in the above link. Also note that if you try to change the encryption method using the number after the word secret
, you will find it does not work:
R2(config)#username my_name secret ?
0 Specifies an UNENCRYPTED secret will follow
5 Specifies a MD5 HASHED secret will follow
8 Specifies a PBKDF2 HASHED secret will follow
9 Specifies a SCRYPT HASHED secret will follow
LINE The UNENCRYPTED (cleartext) user secret
R2(config)#username my_name secret 9 my_password
ERROR: The secret you entered is not a valid encrypted secret.
To enter an UNENCRYPTED secret, do not specify type 9 encryption.
When you properly enter an UNENCRYPTED secret, it will be encrypted.
This is because when you issue a number, the command expects the ENCRYPTED password, in the form of something like $9$nhEmQVczB7dqsO$X.HsgL6x1il0RxkOSSvyQYwucySCt7qFm4v7pqCxkKM
depending on the algorithm chosen.
I hope this has been helpful!
Laz