Tribbles(config)#username fuzzy privilege 15 ?
[snip]
password Specify the password for the user
privilege Set user privilege level
secret Specify the secret for the user
[snip]
What the heck is a secret? Perhaps an alternate rendering of this context sensitive help would be useful:
Tribbles(config)#username fuzzy privilege 15 ?
[snip]
password Specify the password for the user which will not be encrypted, but just obfuscated by an easily reversible algorithm. Don't forget to run 'service password-encryption' or it will be in clear text. Srsly!
privilege Set user privilege level. Use 0 in combination with 'password'
secret Specify the super secret pasword that will be securely hashed with MD5 for the user. Different than the enable secret, FWIW.
[snip]
Oh yeah, and don't do this (although it will be securely stored):
Tribbles(config)#username fuzzy privilege 15 secret password INF3$T3D
Or this (trailing space)
Tribbles(config)#username fuzzy privilege 15 password Tr@ling_space
Tribbles(config)#service password-encryption
These show up in the config after as:
username fuzzy privilege 15 secret 5 $1$wG8o$dbS1qR62s1JRvyQ9yTRr90
username fuzzy privilege 15 password 7 06321D014047071E3A04020A0F016A
Without the trailing space, the second entry will show up as:
username fuzzy privilege 15 password 7 1331053207050A2D143738323627
Cisco 7 hashing is easily reversible, and discouraged by Cisco.
Note: If you have a spare moment, decipher the Cisco 7 string on their KB page above to see what they really think of us :)
Now you are thinking "This is all well and good, and surprisingly well-written and entertaining, but I use a RADIUS/TACACS server. I don't need to worry about this...right?"
Cisco does recommend the use of Radius/TACACS+. Just make sure that you read the docs when creating the AAA policy (put the network authentication source before 'local').
Tribbles(config)#aaa authentication login test tacacs+ local
It is crucial to understand how IOS processes authentication attempts:
- With a network service listed before local, IOS attempts to locate the authentication server
- If successful, credentials are processed. If the user is found (regardless of correct credentials) the process will not continue to lower priority methods.
- If the user is not found, or if the network resource is unavailable IOS will continue down the list of aaa authentication.
Based on my (brief) testing it appears IOS 12.4 does add MD5 salt to the secrets, this may create some problems when auditing configurations:
Tribbles(config)#username salt secret pepper
Tribbles(config)#username seasalt secret pepper
Tribbles(config)#do sh run | i username
username salt secret 5 $1$L8kO$d0ZWXWnTOzcJ5Q43OqR2x1
username seasalt secret 5 $1$LZEf$RSfqWT3OZtb1xW.oXsNiA.
In closing:
- be sure to regularly rotate your passwords. Especially your local 'rescue' passwords
- check that your AAA authentication order is correct
- replace all Cisco 7 hashes with secrets (and change the passwords)
More on this from the Junos point of view later.
No comments:
Post a Comment