I have the above network configured, but again will just use R1 and R5 for the discussion and examples of router output and configuration, as I am a walking zombie today due to lack of sleep and life stuff.
Speaking of life stuff, I said I was thinking about pushing my date out for CCNP ROUTE, and I got an email notification shortly after notifying me my test center I’ve always gone to is shutting down the week before my exam date so I had to reschedule it – So be careful what you wish for 🙂 4/28 is the new date that I pass this exam and move onto SWITCH.
This will be brief, as it’s really CCNA refresher material, but if you haven’t taken the CCNA in years like myself then it’s good to know the command syntax and options.
That being said, lets start with the most basic password concepts and end on the least:
- Enable password vs Secret – Enable secret will still be preferred over the enable password when prompted for a password for user exec in IOS 15.x
- Password must be enabled on the VTY lines or connection will be refused
- “service password-encryption” encrypts all current and future passwords in clear test in the router running configuration
- Must configure “login” if only setting a password, and use “login local” to enable the use of username and password local database to log in
Speaking of local username / password database, lets configure a few usernames here to demonstrate “login local” as mentioned above briefly. Now generally in any show run you just see “login” on my vty lines, because in a lab environment that is ok, but real world you may want to have a username and password combination for router access.
Still on 15.x IOS, the username does still appear when you type it, but the password does not. So lets get to the configuration of our two users, the bobs:
R1(config)#username the password bobs
R1(config)#user bobs ?
aaa AAA directive
access-class Restrict access by access-class
autocommand Automatically issue a command after the user logs in
callback-dialstring Callback dialstring
callback-line Associate a specific line with this callback
callback-rotary Associate a rotary group with this callback
dnis Do not require password when obtained via DNIS
nocallback-verify Do not require authentication after callback
noescape Prevent the user from using an escape character
nohangup Do not disconnect after an automatic command
nopassword No password is required for the user to log in
password Specify the password for the user
privilege Set user privilege level
secret Specify the secret for the user
user-maxlinks Limit the user’s number of inbound links
view Set view name
<cr>
R1(config)#user bobs privilege ?
<0-15> User privilege level
R1(config)#user bobs privilege 15 ?
aaa AAA directive
access-class Restrict access by access-class
autocommand Automatically issue a command after the user logs in
callback-dialstring Callback dialstring
callback-line Associate a specific line with this callback
callback-rotary Associate a rotary group with this callback
dnis Do not require password when obtained via DNIS
nocallback-verify Do not require authentication after callback
noescape Prevent the user from using an escape character
nohangup Do not disconnect after an automatic command
nopassword No password is required for the user to log in
password Specify the password for the user
privilege Set user privilege level
secret Specify the secret for the user
user-maxlinks Limit the user’s number of inbound links
view Set view name
<cr>
R1(config)#user bobs privilege 15 password the
So the first username as you can see at the top, I just typed “username the password bobs” and it’s really just as easy as that to configure a user, however for ‘bobs the’ I let the ? output flow because there are some very weird command modifiers I want to be known.
For example after I entered the priv 15, we can enter “nopassword” or “secret” for the user, as well as even restricting the username by “access-class” which we all know from the last post is an ACL to lock down incoming connections! However I took the slacker road and just entered a username and password.
So lets look at the show run currently for this bad boy, and I’ll highlight in red all the security derps we have going on in it:
R1# sh run
Building configuration…
Current configuration : 1462 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$aHDM$YMgDe3WXGwGCHctjWlGr71
enable password CCNA
!
no aaa new-model
!
resource policy
!
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
!
!
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username the password 0 bobs
username bobs privilege 15 password 0 the
!
!
!
!
!
!
!
interface Loopback1
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0
ip address 172.12.123.1 255.255.255.0
encapsulation frame-relay
frame-relay map ip 172.12.123.2 122 broadcast
frame-relay map ip 172.12.123.3 123 broadcast
no frame-relay inverse-arp
frame-relay lmi-type cisco
!
interface FastEthernet0/1
ip address 172.12.15.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/1
ip address 172.12.13.1 255.255.255.252
clock rate 2000000
!
router ospf 1
log-adjacency-changes
area 34 virtual-link 44.44.44.1
network 1.1.1.1 0.0.0.0 area 1
network 172.12.15.0 0.0.0.255 area 15
network 172.12.123.0 0.0.0.255 area 0
!
!
!
ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
password CCNP
logging synchronous
login
!
!
end
R1#
First we do not have the service “password-encryption” running, so you can see all non-secret (almost every) password because they are in plain text.
A never ending exec mode timeout can lead to leaving sessions open, and allowing others to stumble upon an open router at it’s prompt, or use it to get around time based ACL’s (as discussed in the last post).
Another issue with the vty lines, is they are using telnet so all data is transferred in plain text INCLUDING THE PASSWORD TO LOGIN, but it is also using a single password instead of the local username / password database.
So lets tighten some things up:
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#service password-encryption
R1(config)#do sh run | i username
username the password 7 094E410B0A
username bobs privilege 15 password 7 105A011C
R1(config)#
After enabling password-encryption in global config, a sh run | i username shows they are now encrypted in the running configuration, and in case you are wondering the pipe include ( | i ) will only give you output with the keyword or number you specify after it.
So lets make sure even though service password-encryption is running, that the secret takes precedence as the password used for enable:
R5#telnet 172.12.15.1
Trying 172.12.15.1 … Open
User Access Verification
Password: <—- Set on VTY lines as CCNP (about to change that)
R1>en
Password: <—- Tried CCNA
Password: <—- Tried CCNP
R1#
So lets first change this so that we are using usernames and password combinations at the least:
R1(config)#
R1(config)#line vty 0 4
R1(config-line)#login local
R1(config-line)#^Z
R1#
*Mar 1 23:09:21.103: %SYS-5-CONFIG_I: Configured from console by console
R1#
ASR#2
[Resuming connection 2 to r5 … ]
R5#telnet 172.12.15.1
Trying 172.12.15.1 … Open
User Access Verification
Username: the
Password:
R1>en
Password: <—- CCNA
Password: <—- CCNP
R1#
Now I’m having too much fun with the enable secret precedence. As seen, “the” is visible while “bobs” is not, so that is how that goes. However, that priv 15 should kick us straight into user exec mode when telnet’ing in, lets check it out:
R1#exit
[Connection to 172.12.15.1 closed by foreign host]
R5#telnet 172.12.15.1
Trying 172.12.15.1 … Open
User Access Verification
Username: bobs
Password:
R1#
And that it did, right into user exec mode. We are going in the right direction, but we need to take care of using telnet to log into the router, as we are security minded CCNP candidates.
This takes actually a couple steps and we’ve already taken care of one of them by forcing the login local for remote connections, as ssh requires a username / password whether its an AAA server doing authentication or whether its authentication LOCAL.
The next step is defining on the vty lines, what kind of remote management protocols you want to allow to access those lines:
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#line vty 0 4
R1(config-line)#transport ?
input Define which protocols to use when connecting to the terminal
server
output Define which protocols to use for outgoing connections
preferred Specify the preferred protocol to use
R1(config-line)#transport input ?
all All protocols
lat DEC LAT protocol
mop DEC MOP Remote Console Protocol
none No protocols
pad X.3 PAD
rlogin Unix rlogin protocol
ssh TCP/IP SSH protocol
telnet TCP/IP Telnet protocol
udptn UDPTN async via UDP protocol
v120 Async over ISDN
R1(config-line)#transport input ssh
R1(config-line)#exit
R1(config)#exit
R1#exit
[Connection to 172.12.15.1 closed by foreign host]
R5#
Oddly I kind of expected it to kill my telnet connection to it from R5, but perhaps because the TCP connection was already made, you must wait for it to break and try reconnecting for the limitation or rule to kick in which seems to be a universal rule with TCP connections:
R5#telnet 172.12.15.1
Trying 172.12.15.1 …
% Connection refused by remote host
R5#
And so it is, TCP connections will maintain their connection until torn down, newly added configs during the duration of the connection will not effect the TCP connection(s).
However we are not done with the SSH setup yet, it requires for a domain name to be added to the router, along with a crypto key to be generated:
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ip domain ?
list Domain name to complete unqualified host names
lookup Enable IP Domain Name System hostname translation
multicast Define the domain name for multicast address lookups
name Define the default domain name
retry Specify times to retry sending a DNS query
round-robin Round-robin multiple IP addresses in cache
timeout Specify timeout waiting for response to a DNS query
R1(config)#ip domain-name ?
WORD Default domain name
vrf Specify VRF
R1(config)#ip domain-name loopedback.com
R1(config)#crypto key generate ?
rsa Generate RSA keys
<cr>
R1(config)#crypto key generate rsa
The name for the keys will be: R1.loopedback.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable…[OK]
R1(config)#
*Mar 1 23:22:59.697: %SSH-5-ENABLED: SSH 1.99 has been enabled
R1(config)#
As you can see by that last console message, we now have ssh success! Now a couple things, you would of course use the local domain name of the network the router is an edge device on, also the crypto key size can be 512 (and is by default) but should be made to at least 1024 bit encryption in the real world (at very least) so I did here.
So lets see if you can ssh from router to router, I’m not sure if I have actually ever tried:
R5#ssh 172.12.15.1
% No user specified nor available for SSH client
R5#ssh ?
-c Select encryption algorithm
-l Log in using this user name
-m Select HMAC algorithm
-o Specify options
-p Connect to this port
-v Specify SSH Protocol Version
-vrf Specify vrf name
WORD IP address or hostname of a remote system
R5#telnet ?
WORD IP address or hostname of a remote system
<cr>
R5#ssh -l ?
WORD Login name
R5#ssh -l the ?
-c Select encryption algorithm
-m Select HMAC algorithm
-o Specify options
-p Connect to this port
-v Specify SSH Protocol Version
-vrf Specify vrf name
WORD IP address or hostname of a remote system
R5#ssh -l the 172.12.15.1
Password:
R1>
Huh, I didn’t think I’d figure it out that easy. So “ssh -l (username) (remote IP)” and you will be prompted for your password and get logged in. I have never configured that before, that is very good to know.
That’s going to do it for passwords, I am officially fried, thee ya!
The DEVNET GRIND! 