December 2006
Intermediate to advanced
1188 pages
72h 8m
English
Content preview from Cisco IOS Cookbook, 2nd EditionBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Encrypting Passwords
Problem
You want to encrypt passwords so that they do not appear in plain text in the router configuration file.
Solution
To enable password encryption on a router, use the service password-encryption configuration command:
Router1#configure terminalEnter configuration commands, one per line. End with CNTL/Z. Router1(config)#enable passwordRouter1(config)#oreillyline vty 0Router1(config-line)#4passwordRouter1(config-line)#cookbookline con 0Router1(config-line)#passwordRouter1(config-line)#cookbookline aux 0Router1(config-line)#passwordRouter1(config-line)#cookbookexitRouter1(config)#service password-encryptionRouter1(config)#endRouter1#
Tip
This command uses a weak, reversible encryption method to encipher VTY and enable passwords. Please see Recipe 3.5 for more details.
Discussion
By default, the router stores all passwords in clear text and presents them in a human-readable format when you look at the router’s configuration. The service password-encryption command encrypts the passwords by using the Vigenere encryption algorithm. Unfortunately, the Vigenere encryption method is cryptographically weak and trivial to reverse, as we will illustrate in Recipe 3.5.
However, this functionality is still quite useful to prevent nosy neighbors from viewing passwords over your shoulder. As such, encrypting your passwords is still highly recommended in spite of the known weaknesses. You should be aware of the inherent weaknesses of this encryption scheme when ...