Configuring Passwords on a Cisco Switch
The first time you attempt to Telnet, you will be denied because no passwords have been set. Passwords must be set via the terminal:
Sw1>enable Sw1#conf t Sw1(config)#enable password PassWord
Test the new password by exiting back to User Mode, then attempt to enter Privilege mode.
Sw1(config)#exit Sw1#disable Sw1>enable Password:_
Spaces are allowed in passwords Example: “Hello World”
Warning!!
This method of setting the password is Legacy. While still supported, it is not recommended.
The problem with the enable password is that it can be viewed with the show command:
This method of setting the password is Legacy. While still supported, it is not recommended.
The problem with the enable password is that it can be viewed with the show command:
Sw1#show running-config
Current configuration : 1047 bytes
!
version 12.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Sw1
!
enable password PassWord
...
The correct way to set the password with “enable secret”
Sw1#conf t Sw1(config)#enable secret PassWord1 Sw1(config)#exit Sw1#show running-config Building configuration... Current configuration : 1094 bytes ! version 12.1 no service timestamps log datetime msec no service timestamps debug datetime msec no service password-encryption ! hostname Sw1 ! enable secret 5 $1$mERr$6vfnIkQf0hZSmJZv6YXRj0 enable password PassWord ...
1. The password and the secret cannot be the same.
2. The secret supersedes the password, meaning the password will no longer function.
2. The secret supersedes the password, meaning the password will no longer function.
3. Finally, to remove the password:
Sw1(config)#no enable password
Set a password for the Console Port
Sw1(config)#line console 0 Sw1(config-line)#password PASSWORD Sw1(config-line)#login
Set a password for Telnet
- vty = Virtual Terminal
- 0 = 1st telnet port (Session?)
- 4 = 5th telnet port
- All changes will affect ports 0 – 4
Sw1(config)#line vty 0 4 Sw1(config-line)#password PASSWORD Sw1(config-line)#login
Disable the Telnet Password
Sw1(config)#line vty 0 Sw1(config-line)#no login
Hide all Passwords
Sw1(config)#service password-encryption
This is Level 7 encryption and is easily cracked! (Check “cisco password crack”). Do not use it in place of the enable secret, but it is required for the Console and vty ports.
Set a Warning Banner
Some type of legal message warning hackers to stay out is important. “Welcome” legally says, “You are welcome to do what you want here.”
Only a basic message saying unauthorized access is prohibited is required for legal purposes.
Only a basic message saying unauthorized access is prohibited is required for legal purposes.
Login Banner
This only displays with the console session.
Message of the Day
Sw1(config)#banner motd ? LINE c banner-text c. where 'c' is a delimiting character Sw1(config)#banner motd [ Enter TEXT message. End with the character '['. ******** Do Not Log On!! ******** [
The problem with Telent
The primary issue with Telent is that all data transmitted and received is sent unencrypted. Anyone with a packet sniffer will be able to clearly see everything you type!
Understanding SSH
Telnet with Encryption
- Requires a username AND password, where telnet only requires a password
- Also requires a domain name to create an encryption certificate
Sw1(config)#username USERNAME password PASSWORD Sw1(config)#ip domain-name DOMAIN.COM Sw1(config)#crypto key generate rsa The name for the keys will be: HOSTNAME.DOMAIN.COM Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys. keys will be non-exportable...[OK] Sw1(config)#ip ssh version 2 Sw1(config)#line vty 0 4 Sw1(config-line)#transport input ssh
To use ssh with the Cisco Packet Tracer, use the following command:
Pc0>ssh -l USERNAME IP.ADD.RE.SS Open Password:PASSWORD