Converting from plain text to encoded/encrypted passwords

On a 2924 switch with 12.0(5)WC9, I originally set it up "simple" with plain text password definitions such as :

no service password-encryption enable password chocolate username vanilla

line vty 0 15 password bananasplit

I would like to convert this to something like:

service password-encryption enable secret 5 $1$B31b$s5az6X3ZACd5D9w5v294b/ enable password 7 04591E125E361D1F580D461C415A18

line vty 0 15 password 7 15054858472278672C

After I had factory-reset the switch, I recall following a config script that gave me the option of encrypted passwords, but I didn't use it. And now that my switch is otherwise configured, I would like to switch to encrypted passwords without interrupting the service the the various nodes connected to the switch. Is this possible ?

Which commands should I be looking at ?

Reply to
JF Mezei
Loading thread data ...

You already mentioned it:

service password-encryption



Reply to
Frank Winkler

Found out the hard way that this is not enough. One needs to set the "seed" *first* with a enable secret 0 aLovelySentenceThatActsAsASeed

What happened is that I did the service password-encryption first, and it then encrypted the various passwords with (I guess) a default seed.

Then, when I found out about the enable secret command, it accepted it, but did not update the already encrypted passwords except for the exec mode one. As a result, the stored passwords could not be matched since the encryption seed was now different.

Restoring the old config did not work because that did not zap the "enable secret" command. (reminder to include a "no enable scecret" command in the stored configuration to ensure that "copy stored-config running-config" will not leave the "enable secret" active.

I had to reboot the switch (which hung 2 nodes on the cluster, and forced a crash for the other 2). Unfortunatly, the serial line was on a hung node and the serial port went into hardware "XOFF" mode since that node wasn't processing data, and the switch would only both partway and then freeze. Had to disconnect the serial cable to let it boot properly.

I will not attempt this again, doing first a:

enable secret

and then

service password-encryption

But before that, I must add a no enable secret to the stored config so that I can restore function from a still active telnet session without rebooting the switch.

Oh well, one learns every day...

Reply to
JF Mezei

OK, I have begun to read the fantastic manual at

formatting link
and realised I was way off base :-) But the doc there should give me enough information to get my passwords hidden in jibberish AND be usable.

Reply to
JF Mezei

A few questions:

I seem to recall that upon running the initial configuration script after renaming config.text to some other name, I was prompted for some encryption seed. At the time I didn't pay much attention, so perhaps I recall incorrectly. Is there such a beast on IOS ?

Also, if I have

enable secret level 15 chocolate enable password level 15 vanilla

does the "vanilla" password play any role ? Or does the "enable" command validate only aganst the "secret" password when the later is present ?

The documentation mentions that the two should not be the same, but I didn't quite understand their respective role when both are present in a configuration file.

(in the end, the first response was right, service encrypted-password was the only command needed to make the passwords unreadable in the text files.).

Reply to
JF Mezei Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.