Encrypting Passwords

Problem

You want to encrypt passwords so that they do not appear in plain text in the router configuration file.

Solution

To enable password encryption on a router, use the service password-encryption configuration command:

Router1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#enable password oreilly
Router1(config)#line vty 0 4
Router1(config-line)#password cookbook
Router1(config-line)#line con 0
Router1(config-line)#password cookbook
Router1(config-line)#line aux 0
Router1(config-line)#password cookbook
Router1(config-line)#exit
Router1(config)#service password-encryption
Router1(config)#end
Router1#

This command uses a weak, reversible encryption method to encipher VTY and enable passwords. Please see Recipe 3.5 for more details.

 

Discussion

By default, the router stores all passwords in clear text and presents them in a human-readable format when you look at the router's configuration. The service password-encryption command encrypts the passwords by using the Vigenere encryption algorithm. Unfortunately, the Vigenere encryption method is cryptographically weak and trivial to reverse, as we will illustrate in Recipe 3.5.

However, this functionality is still quite useful to prevent nosy neighbors from viewing passwords over your shoulder. As such, encrypting your passwords is still highly recommended in spite of the known weaknesses. You should be aware of the inherent weaknesses of this encryption scheme when storing or forwarding router configuration files, though. Recipe 3.4 provides a small utility to strip your router configuration files of all passwords (encrypted or not) to keep stored and forwarded configuration files safe from prying eyes.

The following example shows what a configuration file looks like with password encryption enabled:

Router1#show running-config 
Building configuration...

Current configuration : 4385 bytes
!
! Last configuration change at 13:08:35 EDT Thu Jun 27 2002 by weak
! NVRAM config last updated at 13:01:45 EDT Thu Jun 27 2002 by kdooley
!
version 12.2
service password-encryption

!
hostname Router
!
enable password 7 06091D2445420500
!
username ijbrown password 7 045802150C2E
username kdooley password 7 070C285F4D06
!
line con 0
 password 7 0605002E474C06160E
line aux 0
 password 7 151104030F28242B23
line vty 0 4
 password 7 110A160A1C1004030F
 !
end

You will notice that the router now encrypts all of the passwords and no longer displays them in a human-readable format.

See Also

Recipe 3.3; Recipe 3.4; Recipe 3.5

Router Configuration and File Management

Router Management

User Access and Privilege Levels

TACACS+

IP Routing

RIP

EIGRP

OSPF

BGP

Frame Relay

Handling Queuing and Congestion

Tunnels and VPNs

Dial Backup

NTP and Time

DLSw

Router Interfaces and Media

Simple Network Management Protocol

Logging

Access-Lists

DHCP

NAT

First Hop Redundancy Protocols

IP Multicast

IP Mobility

IPv6

MPLS

Security

Appendix 1. External Software Packages

Appendix 2. IP Precedence, TOS, and DSCP Classifications

Index



Cisco IOS Cookbook
Cisco IOS Cookbook (Cookbooks (OReilly))
ISBN: 0596527225
EAN: 2147483647
Year: 2004
Pages: 505

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net