Which command is used to encrypt the user and privileged EXEC mode password?
|
In this lesson, we’ll take a look at how you can secure user mode and privileged (enable) mode. By default, there is no authentication required. If you connect a Cisco console cable to your switch or router, here’s what happens: Show
Once you press the enter button, we end up in user mode right away. There’s no password or anything. The same thing applies to the enable mode: We have full access right away. This is something you might want to change, which is what I’ll explain in this lesson. User Mode SecurityLet’s start with user mode. Simple PasswordThe most simple option to protect user mode is to add a password. Here’s how to do this: First, we need to enter the console settings. Here’s where we have to add two commands: We configure a password (cisco) and use the login command to tell Cisco IOS to prompt for this password. Next time you open the console, this will happen: The CLI will ask you for the password. At least we have some form of authentication but we can do better… Username and PasswordInstead of a single password, it’s also possible to use usernames and passwords instead. This is a better option if you have multiple people that need to access your router or switch. Here’s how to do this: Under the console settings, we use the login local command to tell the switch to refer to a local database of usernames and passwords for authentication. In the global config, we create a username “admin” with password “cisco”. Next time you open the console, here’s what you see: The switch asks for our username and password. Enable Mode SecurityWhat about enable mode / privileged mode? We can also add a password there. You need to do this from the configuration mode: Now we can set a password for enable mode: Let’s see if our password “cisco” works. Let’s get out of enable mode: And jump right back in: The switch now asks for the password. Password EncryptionIn the examples above, we used passwords but there is one problem…they all show up in clear text in our configuration. Take a look below: It’s all clear text. If someone steals one of your switches or routers, they will have your passwords. If you ever backup your configuration and forget to remove the passwords, same problem. Cisco IOS has a command that lets you encrypt all clear text passwords in your configuration. Here’s how: The service password-encryption command will encrypt every password that is plain text. Here you can see the result: Now you might get a warm fuzzy feeling that everything is encrypted but in reality, this is a very poor (broken) encryption algorithm. There are websites that let you decrypt these encrypted strings on the fly. If you want to try this, here’s one of those websites. We need something stronger… SecretCisco IOS supports something called a secret as an alternative to the password. Let’s try this for the enable mode: Above you can see this switch supports MD5, PBKDF2 and SCRYPT hashes. Older IOS devices only support MD5 authentication. Let’s give this a try: Our secret will be “cisco”. Let’s see what we find in the configuration: You now find an MD5 hash in the configuration. The “5” that you see behind “enable secret” is the algorithm that we use, 5 means MD5. MD5 is not considered secure nowadays. It’s very easy to brute force simple passwords. For example, try this website for the MD5 hash that was created for my secret “cisco”. It will only take a few seconds to recover. Let’s try one of the other algorithms that are considered secure nowadays. Here’s how you can select the algorithm for the enable mode: Let’s try the PBKDF2 (SHA256) hashing algorithm: When we look at our configuration, we’ll see the new hash: The “8” behind “enable secret” refers to the PBKDF2 hashing algorithm that we used. In the example above I changed the hashing algorithm for the enable mode but we can also do this for usernames. Here’s an example: My username now uses SHA256 as well for password “cisco”. Here’s what it looks like: Make sure you use strong passwords. No matter what hashing algorithm you use, weak passwords like “cisco” are easily recovered. External Authentication ServersConfiguring usernames and secrets on your Cisco IOS devices is a good practice but one issue we have is scalability. If you have a network with multiple devices, you will have to configure your usernames/secrets on all devices. If you change your password, you have to do it on all devices. In larger networks, we typically use authentication servers called RADIUS or TACACS+ servers. On these servers, we configure our usernames. When someone tries to access the console or enable mode on one of your switches or routers, they check the credentials on the authentication server. This allows you to keep your authentication centralized. This is something we will cover in other lessons. ConclusionYou have now learned how to protect the user and enable mode of your Cisco IOS devices. Make sure you use “secret” instead of plain text passwords and if possible, use a stronger hashing algorithm than the default MD5. What is the command to a encrypted password for privileged mode?The _enable secret [password] command enables an encrypted password and overrides the enable password if it is set. The _enable password [password] command adds a plain text password to the privileged mode.
Which command is used to secure privileged EXEC mode?There are two options available, the enable password and the enable secret. Both of these commands accomplish exactly the same thing. They allow you to configure a password that the user must enter, in order to access the Privileged EXEC Mode.
Which command would be used to set the privileged mode password Cisco?To set a local password to control access to various privilege levels, use the enable password command in global configuration mode. Use the no form of this command to remove the password requirement.
Which password is needed to enter privileged EXEC mode?No password is defined. The default is level 15 (privileged EXEC level). The password is encrypted before it is written to the configuration file.
|
