Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Rhinorhino on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

enable secret vs enable password 1

Status
Not open for further replies.
ncolsgk

ncolsgk

IS-IT--Management
Joined
Apr 2, 2007
Messages
98
Location
US
Whats the difference?
 
Sort by date Sort by votes
enable uses a much weaker encryption algorithm.
 
Upvote 0 Downvote
The simple enable password is easily cracked. The secret uses the MD5 algorithm, which is irreversible, hence non-"crackable"...yet, anyway.lol

Burt
 
Upvote 0 Downvote
thx!

And is it possible to disconnect other sessions that have logged into the router? How can I see who is connected?
 
Upvote 0 Downvote
Interesting, I thought you could disconnect other telnet sessions, but I can't seem to get anything to work. I thought it was 'disconnect' and then the session - anybody else?
 
Upvote 0 Downvote
Isn't it that weird key combo, like ctrl-x-6 or something? Now I have to research this...lol

Burt
 
Upvote 0 Downvote
Clear lin vty X ,where x is the vty session number.
 
Upvote 0 Downvote
CLEAR! That's the one.

"systat" or "who" will give you output like this:

Line User Host(s) Idle Location
* 1 vty 0 idle 00:00:00 xxx.xxx.xxx.xxx
2 vty 1 idle 00:00:05 xxx.xxx.xxx.xxx

The number after vty is the session number.

Have a star vipergg.
 
Upvote 0 Downvote
I believe a 'show user' will also show you who else is connected to the router (including your own session).
 
Upvote 0 Downvote
Hi,

I suggest you also configure service password-encryption, as a security measure.This encrypts all the passwords on the router with a weak encryption so as not to see passwords in clear text when you do show run
And also use telnet only in secure network, because telnet is very easy to eavesdrop (everything is in clear text)

Sorry for the offtopic :)

Best regards,

G
 
Upvote 0 Downvote
The enable secret password is not shown in clear text no matter what---service password encryption also makes the CPU constantly work.

Burt
 
Upvote 0 Downvote
thx for the feedback! great stuff!
 
Upvote 0 Downvote
service password-encryption doesn't make the CPU work constantly. It simply ensures that no passwords are ever displayed in cleartext. Perhaps you meant to say that it make the CPU work slightly harder when displaying a config?
 
Upvote 0 Downvote
I thought I read somewhere in one of Todd Lammle's books (CCSP) that it constantly works when this is enabled. I will look and quote what I read here in a little while.

Burt
 
Upvote 0 Downvote
Yes, here it is---in CCSP:Securing Cisco IOS Networks, by Todd Lammle and Carl Timm, CCIE#7149, page 43...
"At this point, turn off the service password-encryption command by using the no service password-encryption command as follows because the service password-encryption command is still running in the backround, and no one needs any extra threads taking up CPU cycles:"

Burt
 
Upvote 0 Downvote
Sounded pretty interesting, so I tried this out on a 3550. Turned off service password-encryption and checked cpu util (this switch is not in service, just sitting on my desk, so there would be no variation in traffic or anything), turned service password-encryption back on and there was no difference in the cpu utilization.

What Burt said seems logical, after all, it is a "service" that is running, but it doesn't appear to have an effect on a 3550 running a very basic config.

Then again, the CCSP is focused highly on security, so maybe used in conjunction with other configurations/commands, service password-encryption would put a higher load on the processor.
 
Upvote 0 Downvote
I'm pretty sure it isn't a service that is running, though. These aren't like Windows services or *nix daemons. It is only relevant when you attempt to display a config. The encryption engine is activated at that point in order to conceal passwords that otherwise would have been displayed in plain text. I'd bet my left small toe that Todd is wrong about this. If you're not displaying a config, this alleged service would have nothing to do and would not be taking up CPU cycles anyway.

If what Lammle says is true, there should be an extra process listed in "show proc cpu" after you enable this feature. I just did a before and after look at my process list and I have 251 processes running whether or not password encryption is enabled.
 
Upvote 0 Downvote
I'm also interested to know why they suggest turning off that feature. It costs nothing to leave it on, and it guards against accidentally allowing someone to see passwords, AAA keys, and SNMP community strings in plain text. Can you tell us what his reasoning is?
 
Upvote 0 Downvote
Yeah, I saw the same thing. I see what you mean about it being different from services or daemons on Win/Unix systems; however, I think some sub-commands under "services" do run constantly, and not just when running certain commands; "service timestamps", I would think would be one of those.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

CDIV
  • Locked
  • Question Question
How do I enable SSH access in 2960x
Replies
4
Views
1K
iggsterman
iggsterman
cammy
  • Locked
  • Question Question
Cisco WS-X2948G-GE-TX multicast igmp enable
Replies
2
Views
330
cammy
cammy
iveric
  • Locked
  • Question Question
CISCO IAD 2431. Configuration Register 0x2012 vs 0x2102
Replies
1
Views
499
burtsbees
burtsbees
sidwick30
  • Locked
  • Question Question
Public Server vs. using NAT for STUN / TURN servers
Replies
2
Views
317
burtsbees
burtsbees
veilside
  • Locked
  • Question Question
Configure VRRP with VSS Core switches.
Replies
1
Views
312
VinceWhirlwind
VinceWhirlwind

Part and Inventory Search

Sponsor

Back
Top