North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical


  • From: Danny McPherson
  • Date: Sun Apr 30 22:34:22 2000

> As you pointed out to Barry Greene and myself previously, the "aaa 
> accounting" command as below will log commands typed in at "enable" level. 
> So, if you are changing the onboard router password, yes, you will see the 
> new password in your accounting logs, in clear text.
> However, I don't consider it good practice to keep any critical passwords 
> on a router when an authentication mechanism such as TACACS+ is in place.

Unfornately, auth servers fail and you have to keep VTY and fallback 
passwords locally configured on the router.

> Also, if I was modifying the onboard enable secret (last resort password 
> when TACACS+ or Radius is configured) at any stage, I'd tftp-load the 
> configuration from a remote server, not ever type it in live.

I don't see how this actually changes anything though, aren't tftp'd files
authorized (and therefore, logged) in a similar manner?

And as wonderful as it sounds, it's not always possible in real networks.

However, entering the encrypted *enable* password (w/level) would accommodate
this.  Though, of course, the BGP TCP MD5 stuff and the VTY passwords (and
most other passwords) still don't support the ~non-reversible encryption 

As for this entire thread, it's seems now to be more appropriate for cisco-nsp
or the like.