Re: Not possible anymore to copy/paste a preencrypted (Type 9) user/se

Andreas Wittemann · ‎04-27-2023

Hi guys,

i´m a bit confused, what worked like a charm for many many years seems not to work for me anymore, actually the first time.

I put in a username/secret like follows:

username blabla privilege 15 secret <Cleartextpassword>

Afterwards i take the line from the running config

username blabla privilege 15 secret 9 fsfsfunnyhashedpasswordnln3452

and try to copy it to another routers config, which always worked for me.

Today: I end up in a line

% Incomplete command.

Or, when i use to generate that line which i want to copy using

username blabla privilege 15 algorithm-type scrypt secret <Cleartextpassword>

after pasting (the encrypted config line) to another router with THAT message:

ERROR: The secret you entered is not a valid encrypted secret.

To enter an UNENCRYPTED secret, do not specify type 9 encryption.

When you properly enter an UNENCRYPTED secret, it will be encrypted.

I´m aware of the concept of hashes and salts, but should it really be not possible anymore to generate such user/secret-lines on one Cisco box next to you for the colleagues and paste these handful of lines to other Cisco-devices? We cannot have an AAA-server for this purpose, some of these customers don´t even have more than a PC behind the routers. So, simply a local personalized login for us staff is the weapon of choice.

Does anybody know a workaround for this problem?

BTW:

I tried on various switches with 15.x and Cisco-routers ISR4k with IOS-XE 16.x and 17.x ...everywhere the same game.

Thanks in advance for any input!

Kind regards,

Andreas

thomas · ‎05-07-2023

I suggest moving your question to a IOS switch or router forum, not ISE, since this is clearly an IOS CLI-specific question.

Andreas Wittemann · ‎05-08-2023

Many thanks, Thomas, my fault when creating that post in sort of a hurry

Flavio Miranda · ‎05-07-2023

Hi

There are many similar posts here. It seems Cisco change some security policy related to it. And if we think it through, it make sense. Be able to replicate a password between device is a security risk.

Andreas Wittemann · ‎05-08-2023

I agree to you and completely understand that concern, but not being able to simply copy and paste a preencrypted/hashed line with a secret is also not too helpful in certain cases.

Just think about it, i would have to let a certain colleague whcih should help us in monitoring, troubleshooting, or simply a new teammember which needs access on a device locally (without sing AAA, radius or whatever, because sometimes routers and switches are deployed in a very small environment) on all the devices PER device.

This is a bit overcomplicated, instead of having a set of config lines as a (let´s say) default when configuring a new device or simply add it via script runs with ansible.

So, i am still searching a solution for this.

Not sure if it will do the trick, didn´t try jet, but maybe i do the same on a old device (md5) and while pasting it on a new device it gets automatically "leveled up" as type 9

Let´s see

stsagalas · ‎02-09-2024

I had the same problem until i realize that the encrypted SCRYPT hash uses $ sign as a separator and if "shell processing full" command exists then this creates an issue as $ sign is also used as a place-holder for variables.

Remove the command "shell processing full" and copy/paste of SCRYPT hash works as expected.

Andreas Wittemann · ‎02-10-2024

Thanks, i‘ll try it!

Not possible anymore to copy/paste a preencrypted (Type 9) user/secret