OSPF_Base_Topology

I have the above network configured,  but again will just use R1 and R5 for the discussion and examples of router output and configuration, as I am a walking zombie today due to lack of sleep and life stuff.

Speaking of life stuff, I said I was thinking about pushing my date out for CCNP ROUTE, and I got an email notification shortly after notifying me my test center I’ve always gone to is shutting down the week before my exam date so I had to reschedule it – So be careful what you wish for 🙂 4/28 is the new date that I pass this exam and move onto SWITCH.

This will be brief, as it’s really CCNA refresher material, but if you haven’t taken the CCNA in years like myself then it’s good to know the command syntax and options.

That being said, lets start with the most basic password concepts and end on the least:

  • Enable password vs Secret – Enable secret will still be preferred over the enable password when prompted for a password for user exec in IOS 15.x
  • Password must be enabled on the VTY lines or connection will be refused
  • “service password-encryption” encrypts all current and future passwords in clear test in the router running configuration
  • Must configure “login” if only setting a password, and use “login local” to enable the use of username and password local database to log in

Speaking of local username / password database, lets configure a few usernames here to demonstrate “login local” as mentioned above briefly. Now generally in any show run you just see “login” on my vty lines, because in a lab environment that is ok, but real world you may want to have a username and password combination for router access.

Still on 15.x IOS, the username does still appear when you type it, but the password does not. So lets get to the configuration of our two users, the bobs:

R1(config)#username the password bobs
R1(config)#user bobs ?
  aaa                  AAA directive
  access-class         Restrict access by access-class
  autocommand          Automatically issue a command after the user logs in
  callback-dialstring  Callback dialstring
  callback-line        Associate a specific line with this callback
  callback-rotary      Associate a rotary group with this callback
  dnis                 Do not require password when obtained via DNIS
  nocallback-verify    Do not require authentication after callback
  noescape             Prevent the user from using an escape character
  nohangup             Do not disconnect after an automatic command
  nopassword           No password is required for the user to log in
  password             Specify the password for the user
  privilege            Set user privilege level
  secret               Specify the secret for the user
  user-maxlinks        Limit the user’s number of inbound links
  view                 Set view name
  <cr>

R1(config)#user bobs privilege ?
  <0-15>  User privilege level

R1(config)#user bobs privilege 15 ?
  aaa                  AAA directive
  access-class         Restrict access by access-class
  autocommand          Automatically issue a command after the user logs in
  callback-dialstring  Callback dialstring
  callback-line        Associate a specific line with this callback
  callback-rotary      Associate a rotary group with this callback
  dnis                 Do not require password when obtained via DNIS
  nocallback-verify    Do not require authentication after callback
  noescape             Prevent the user from using an escape character
  nohangup             Do not disconnect after an automatic command
  nopassword           No password is required for the user to log in
  password             Specify the password for the user
  privilege            Set user privilege level
  secret               Specify the secret for the user
  user-maxlinks        Limit the user’s number of inbound links
  view                 Set view name
  <cr>

R1(config)#user bobs privilege 15 password the

So the first username as you can see at the top, I just typed “username the password bobs” and it’s really just as easy as that to configure a user, however for ‘bobs the’ I let the ? output flow because there are some very weird command modifiers I want to be known.

For example after I entered the priv 15, we can enter “nopassword” or “secret” for the user, as well as even restricting the username by “access-class” which we all know from the last post is an ACL to lock down incoming connections! However I took the slacker road and just entered a username and password.

So lets look at the show run currently for this bad boy, and I’ll highlight in red all the security derps we have going on in it:

R1# sh run
Building configuration…

Current configuration : 1462 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$aHDM$YMgDe3WXGwGCHctjWlGr71
enable password CCNA
!
no aaa new-model
!
resource policy
!
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
!
!
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username the password 0 bobs
username bobs privilege 15 password 0 the
!
!
!
!
!
!
!
interface Loopback1
 ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0
 ip address 172.12.123.1 255.255.255.0
 encapsulation frame-relay
 frame-relay map ip 172.12.123.2 122 broadcast
 frame-relay map ip 172.12.123.3 123 broadcast
 no frame-relay inverse-arp
 frame-relay lmi-type cisco
!
interface FastEthernet0/1
 ip address 172.12.15.1 255.255.255.0
 duplex auto
 speed auto
!
interface Serial0/1
 ip address 172.12.13.1 255.255.255.252
 clock rate 2000000
!
router ospf 1
 log-adjacency-changes
 area 34 virtual-link 44.44.44.1
 network 1.1.1.1 0.0.0.0 area 1
 network 172.12.15.0 0.0.0.255 area 15
 network 172.12.123.0 0.0.0.255 area 0
!
!
!
ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 password CCNP
 logging synchronous
 login
!
!
end

R1#

First we do not have the service “password-encryption” running, so you can see all non-secret (almost every) password because they are in plain text.

A never ending exec mode timeout can lead to leaving sessions open, and allowing others to stumble upon an open router at it’s prompt, or use it to get around time based ACL’s (as discussed in the last post).

Another issue with the vty lines, is they are using telnet so all data is transferred in plain text INCLUDING THE PASSWORD TO LOGIN, but it is also using a single password instead of the local username / password database.

So lets tighten some things up:

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#service password-encryption
R1(config)#do sh run | i username
username the password 7 094E410B0A
username bobs privilege 15 password 7 105A011C
R1(config)#

After enabling password-encryption in global config, a sh run | i username shows they are now encrypted in the running configuration, and in case you are wondering the pipe include ( | i ) will only give you output with the keyword or number you specify after it.

So lets make sure even though service password-encryption is running, that the secret takes precedence as the password used for enable:

R5#telnet 172.12.15.1
Trying 172.12.15.1 … Open

User Access Verification

Password:  <—- Set on VTY lines as CCNP (about to change that)
R1>en
Password:   <—- Tried CCNA
Password:   <—- Tried CCNP
R1#

So lets first change this so that we are using usernames and password combinations at the least:

R1(config)#
R1(config)#line vty 0 4
R1(config-line)#login local
R1(config-line)#^Z
R1#
*Mar  1 23:09:21.103: %SYS-5-CONFIG_I: Configured from console by console
R1#
ASR#2
[Resuming connection 2 to r5 … ]

R5#telnet 172.12.15.1
Trying 172.12.15.1 … Open

User Access Verification

Username: the
Password:
R1>en
Password:   <—- CCNA
Password:   <—- CCNP
R1#

Now I’m having too much fun with the enable secret precedence. As seen, “the” is visible while “bobs” is not, so that is how that goes. However, that priv 15 should kick us straight into user exec mode when telnet’ing in, lets check it out:

R1#exit

[Connection to 172.12.15.1 closed by foreign host]
R5#telnet 172.12.15.1
Trying 172.12.15.1 … Open

User Access Verification

Username: bobs
Password:
R1#

And that it did, right into user exec mode. We are going in the right direction, but we need to take care of using telnet to log into the router, as we are security minded CCNP candidates.

This takes actually a couple steps and we’ve already taken care of one of them by forcing the login local for remote connections, as ssh requires a username / password whether its an AAA server doing authentication or whether its authentication LOCAL.

The next step is defining on the vty lines, what kind of remote management protocols you want to allow to access those lines:

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#line vty 0 4
R1(config-line)#transport ?
  input      Define which protocols to use when connecting to the terminal
             server
  output     Define which protocols to use for outgoing connections
  preferred  Specify the preferred protocol to use

R1(config-line)#transport input ?
  all     All protocols
  lat     DEC LAT protocol
  mop     DEC MOP Remote Console Protocol
  none    No protocols
  pad     X.3 PAD
  rlogin  Unix rlogin protocol
  ssh     TCP/IP SSH protocol
  telnet  TCP/IP Telnet protocol
  udptn   UDPTN async via UDP protocol
  v120    Async over ISDN

R1(config-line)#transport input ssh
R1(config-line)#exit
R1(config)#exit
R1#exit

[Connection to 172.12.15.1 closed by foreign host]
R5#

Oddly I kind of expected it to kill my telnet connection to it from R5, but perhaps because the TCP connection was already made, you must wait for it to break and try reconnecting for the limitation or rule to kick in which seems to be a universal rule with TCP connections:

R5#telnet 172.12.15.1
Trying 172.12.15.1 …
% Connection refused by remote host

R5#

And so it is, TCP connections will maintain their connection until torn down, newly added configs during the duration of the connection will not effect the TCP connection(s).

However we are not done with the SSH setup yet, it requires for a domain name to be added to the router, along with a crypto key to be generated:

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ip domain ?
  list         Domain name to complete unqualified host names
  lookup       Enable IP Domain Name System hostname translation
  multicast    Define the domain name for multicast address lookups
  name         Define the default domain name
  retry        Specify times to retry sending a DNS query
  round-robin  Round-robin multiple IP addresses in cache
  timeout      Specify timeout waiting for response to a DNS query

R1(config)#ip domain-name ?
  WORD  Default domain name
  vrf   Specify VRF

R1(config)#ip domain-name loopedback.com
R1(config)#crypto key generate ?
  rsa  Generate RSA keys
  <cr>

R1(config)#crypto key generate rsa
The name for the keys will be: R1.loopedback.com
Choose the size of the key modulus in the range of 360 to 2048 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable…[OK]

R1(config)#
*Mar  1 23:22:59.697: %SSH-5-ENABLED: SSH 1.99 has been enabled
R1(config)#

As you can see by that last console message, we now have ssh success! Now a couple things, you would of course use the local domain name of the network the router is an edge device on, also the crypto key size can be 512 (and is by default) but should be made to at least 1024 bit encryption in the real world (at very least) so I did here.

So lets see if you can ssh from router to router, I’m not sure if I have actually ever tried:

R5#ssh 172.12.15.1
% No user specified nor available for SSH client
R5#ssh ?
  -c    Select encryption algorithm
  -l    Log in using this user name
  -m    Select HMAC algorithm
  -o    Specify options
  -p    Connect to this port
  -v    Specify SSH Protocol Version
  -vrf  Specify vrf name
  WORD  IP address or hostname of a remote system

R5#telnet ?
  WORD  IP address or hostname of a remote system
  <cr>

R5#ssh -l ?
  WORD  Login name

R5#ssh -l the ?
  -c    Select encryption algorithm
  -m    Select HMAC algorithm
  -o    Specify options
  -p    Connect to this port
  -v    Specify SSH Protocol Version
  -vrf  Specify vrf name
  WORD  IP address or hostname of a remote system

R5#ssh -l the 172.12.15.1

Password:

R1>

Huh, I didn’t think I’d figure it out that easy. So “ssh -l (username) (remote IP)” and you will be prompted for your password and get logged in. I have never configured that before, that is very good to know.

That’s going to do it for passwords, I am officially fried, thee ya!