Authentication on Cisco IOS
Let’s have a look at how Cisco IOS handles authentication and how passwords are stored in the configuration file.
Disable Cleartext Passwords in the Configuration File
Let’s I set the “front-door password” for console access that would put the user in user EXEC mode:
ISR4321# conf t
ISR4321(config)# line console 0
ISR4321(config-line)# password foobarbaz
ISR4321(config-line)# login
ISR4321(config-line)# ^Z
ISR4321# sh run | b line
line con 0
!
line aux 0
!
line vty 0 4
password foobarbaz
login
line vty 5 15
password foobarbaz
login
!
To obfuscate passwords in the configuration file:
ISR4321(config)# service password-encryption
Passwords that are normally be stored in plaintext in the config file will now be obscured by “Type 7 encryption”.1 “Encryption” sounds like a big deal, but this type of encryption is merely meant to prevent casual shoulder surfing:
line con 0
password 7 1047021200
login
Type 7 “encryption” is seriously broken. So consider anyone with access to the config (or backups thereof) to know the password and be able to access user EXEC mode on your Cisco devices.
If we were to exit
now, we would be prompted for this front-door password:
ISR4321# exit
ISR4321 con0 is now available
Press RETURN to get started.
User Access Verification
Password:
ISR4321>
The router does not echo the password back to the screen to prevent shoulder surfing.
Protect Privileged EXEC Mode with a Password
Set the “enable” password (to get to enable/privileged EXEC mode):
ISR4321(config)# enable secret algorithm-type scrypt secret <pwd>
At least on my IOS, fortunately, scrypt
is available as a PBKDF.2
When enable secret
is set, IOS will ignore the enable password
. That means
that if both are set, you can only gain access with the enable secret
password. enable password
stores the password in plaintext in the config file,
or merely obfuscates it when service password-encryption
is set. So remove
this insecure password with no enable password
.
Username + Password Authentication
You can also use username + password authentication. Logins over console and Telnet can then request a username in addition to a password. SSH always requires both a username and a password.
Create users with usernames, password and privilege levels:
ISR4321(config)# username stefan privilige 15 secret stefanpwd
ISR4321(config)# username thomas privilige 1 secret stefanpwd
You can use algorithm-type
to specify the PBKDF. On my IOS, by default, it
uses the (weak) MD5. Use scrypt
instead.
By changing line console 0
to use login local
instead of login
, the login
prompt will request credentials from the local list configured with username <name> secret <secret>
:
ISR4321# conf t
ISR4321(config)# line console 0
ISR4321(config-line)# login local
ISR4321(config-line)# end
ISR4321# exit
User Access Verification
Username: thomas
Password:
ISR4321>
If we authenticate with the privileged user stefan
instead (which was
configured with privilege 15
), we are taken straight to enable/privileged EXEC
mode after authentication.
-
Note that if you disable
password-encryption
again, IOS will not decrypt the obfuscated passwords. ↩︎ -
By default, my IOS version (16.06.04) uses the (weak) MD5-based BSD password algorithm 1. If you encounter an enable secret:
Router#sh run | i secret enable secret 5 $1$mERr$jegsBINbJe1/UUQKc.NUC1
You can check the password on a Linux box with
openssl-passwd(1)
:
↩︎openssl passwd -1 -salt mERr foobarbaz $1$mERr$jegsBINbJe1/UUQKc.NUC1