Relentless Coding

A Developer’s Blog

Authentication on Cisco IOS

Let’s have a look at how Cisco IOS handles authentication and how passwords are stored in the configuration file.

Disable Cleartext Passwords in the Configuration File

Let’s I set the “front-door password” for console access that would put the user in user EXEC mode:

ISR4321# conf t
ISR4321(config)# line console 0
ISR4321(config-line)# password foobarbaz
ISR4321(config-line)# login
ISR4321(config-line)# ^Z
ISR4321# sh run | b line
line con 0
!
line aux 0
!
line vty 0 4
 password foobarbaz
 login
line vty 5 15
 password foobarbaz
 login
!

To obfuscate passwords in the configuration file:

ISR4321(config)# service password-encryption

Passwords that are normally be stored in plaintext in the config file will now be obscured by “Type 7 encryption”.1 “Encryption” sounds like a big deal, but this type of encryption is merely meant to prevent casual shoulder surfing:

line con 0
 password 7 1047021200
 login

Type 7 “encryption” is seriously broken. So consider anyone with access to the config (or backups thereof) to know the password and be able to access user EXEC mode on your Cisco devices.

If we were to exit now, we would be prompted for this front-door password:

ISR4321# exit
ISR4321 con0 is now available

Press RETURN to get started.

User Access Verification

Password: 
ISR4321>

The router does not echo the password back to the screen to prevent shoulder surfing.

Protect Privileged EXEC Mode with a Password

Set the “enable” password (to get to enable/privileged EXEC mode):

ISR4321(config)# enable secret algorithm-type scrypt secret <pwd>

At least on my IOS, fortunately, scrypt is available as a PBKDF.2

When enable secret is set, IOS will ignore the enable password. That means that if both are set, you can only gain access with the enable secret password. enable password stores the password in plaintext in the config file, or merely obfuscates it when service password-encryption is set. So remove this insecure password with no enable password.

Username + Password Authentication

You can also use username + password authentication. Logins over console and Telnet can then request a username in addition to a password. SSH always requires both a username and a password.

Create users with usernames, password and privilege levels:

ISR4321(config)# username stefan privilige 15 secret stefanpwd
ISR4321(config)# username thomas privilige 1 secret stefanpwd

You can use algorithm-type to specify the PBKDF. On my IOS, by default, it uses the (weak) MD5. Use scrypt instead.

By changing line console 0 to use login local instead of login, the login prompt will request credentials from the local list configured with username <name> secret <secret>:

ISR4321# conf t
ISR4321(config)# line console 0
ISR4321(config-line)# login local
ISR4321(config-line)# end
ISR4321# exit
User Access Verification

Username: thomas
Password:
ISR4321>

If we authenticate with the privileged user stefan instead (which was configured with privilege 15), we are taken straight to enable/privileged EXEC mode after authentication.


  1. Note that if you disable password-encryption again, IOS will not decrypt the obfuscated passwords. ↩︎

  2. By default, my IOS version (16.06.04) uses the (weak) MD5-based BSD password algorithm 1. If you encounter an enable secret:

    Router#sh run | i secret
    enable secret 5 $1$mERr$jegsBINbJe1/UUQKc.NUC1
    

    You can check the password on a Linux box with openssl-passwd(1):

    openssl passwd -1 -salt mERr foobarbaz
    $1$mERr$jegsBINbJe1/UUQKc.NUC1
    
     ↩︎